Book Image

Keycloak - Identity and Access Management for Modern Applications

By : Stian Thorgersen, Pedro Igor Silva
Book Image

Keycloak - Identity and Access Management for Modern Applications

By: Stian Thorgersen, Pedro Igor Silva

Overview of this book

Implementing authentication and authorization for applications can be a daunting experience, often leaving them exposed to security vulnerabilities. Keycloak is an open-source solution for identity management and access management for modern applications, which can make a world of difference if you learn how to use it. Keycloak, helping you get started with using it and securing your applications. Complete with hands-on tutorials, best practices, and self-assessment questions, this easy-to-follow guide will show you how to secure a sample application and then move on to securing different application types. As you progress, you will understand how to configure and manage Keycloak as well as how to leverage some of its more advanced capabilities. Finally, you'll gain insights into securely using Keycloak in production. By the end of this book, you will have learned how to install and manage Keycloak as well as how to secure new and existing applications.
Table of Contents (21 chapters)
Section 1: Getting Started with Keycloak
Section 2: Securing Applications with Keycloak
Section 3: Configuring and Managing Keycloak
Section 4: Security Considerations

Securing native and mobile applications

Securing a web application with Keycloak is more straightforward than securing a native or mobile application. Keycloak login pages are essentially a web application and it is more natural to redirect a user to a different web application when they are already within the browser.

You may be tempted to implement login pages within the application itself to collect the username and password, then leverage the OAuth 2.0 Resource Owner Password Credential grant to obtain tokens. However, this is simply something that you should not be tempted to do. As mentioned in the previous section, applications should never have direct access to the user credentials, and this approach also means you miss out on a lot of features provided by Keycloak.

To secure a native or mobile application, you should use the Authorization Code flow with the PKCE extension instead. This is more secure, and at the same time gives you the full benefits of using Keycloak...