Book Image

Keycloak - Identity and Access Management for Modern Applications - Second Edition

By : Stian Thorgersen, Pedro Igor Silva
4.8 (5)
Book Image

Keycloak - Identity and Access Management for Modern Applications - Second Edition

4.8 (5)
By: Stian Thorgersen, Pedro Igor Silva

Overview of this book

The second edition of Keycloak - Identity and Access Management for Modern Applications is an updated, comprehensive introduction to Keycloak and its updates. In this new edition, you will learn how to use the latest distribution of Keycloak. The recent versions of Keycloak are now based on Quarkus, which brings a new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22. As you progress, you’ll understand the new Keycloak distribution and explore best practices in using OAuth. Finally, you'll cover general best practices and other information on how to protect your applications. By the end of this new edition, you’ll have learned how to install and manage the latest version of Keycloak to secure new and existing applications using the latest features.

Related Content you might be interested in

Current Title:

Small book image
Keycloak - Identity and Access Management for Modern Applications - Second Edition
Stian Thorgersen | Pedro Igor Silva
Jul, 2023 | 350 pages
Small book image
Cloud Identity Patterns and Strategies
Giuseppe Di Federico | Fabrizio Barcaroli
Dec, 2022 | 258 pages
Small book image
Azure Active Directory for Secure Application Development
Sjoukje Zaal
May, 2022 | 268 pages
Small book image
Implementing Multifactor Authentication
Marco Fanti
Jun, 2023 | 550 pages
Table of Contents (18 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
1
Getting Started with Keycloak
Getting Started with Keycloak
Technical requirements
Introducing Keycloak
Installing and running Keycloak
Discovering the Keycloak admin and account consoles
Summary
Questions
Free Chapter
2
Securing Your First Application
Securing Your First Application
Technical requirements
Understanding the sample application
Running the application
Understanding how to log in to the application
Securely invoking the backend REST API
Summary
Questions
3
Brief Introduction to Standards
Brief Introduction to Standards
Authorizing application access with OAuth 2.0
Authenticating users with OpenID Connect
Leveraging JWT for tokens
Understanding why SAML 2.0 is still relevant
Summary
Questions
4
Authenticating Users with OpenID Connect
Authenticating Users with OpenID Connect
Technical requirements
Running the OpenID Connect playground
Understanding the Discovery endpoint
Authenticating a user
Understanding the ID token
Invoking the UserInfo endpoint
Dealing with users logging out
Summary
Questions
Further reading
5
Authorizing Access with OAuth 2.0
Authorizing Access with OAuth 2.0
Technical requirements
Running the OAuth 2.0 playground
Obtaining an access token
Requiring user consent
Limiting the access granted to access tokens
Validating access tokens
Summary
Questions
Further reading
6
Securing Different Application Types
Securing Different Application Types
Technical requirements
Understanding internal and external applications
Securing web applications
Securing native and mobile applications
Securing REST APIs and services
Summary
Questions
Further reading
7
Integrating Applications with Keycloak
Integrating Applications with Keycloak
Technical requirements
Choosing an integration architecture
Choosing an integration option
Integrating with Golang applications
Integrating with Java applications
Integrating with JavaScript applications
Integrating with Node.js applications
Using a reverse proxy
Try not to implement your own integration
Summary
Questions
Further reading
8
Authorization Strategies
Authorization Strategies
Understanding authorization
Using RBAC
Using GBAC
Using OAuth2 scopes
Using ABAC
Using Keycloak as a centralized authorization server
Summary
Questions
Further reading
9
Configuring Keycloak for Production
Configuring Keycloak for Production
Technical requirements
Setting the hostname for Keycloak
Enabling TLS
Configuring a database
Enabling clustering
Configuring a reverse proxy
Testing your environment
Summary
Questions
Further reading
10
Managing Users
Managing Users
Technical requirements
Managing local users
Integrating with LDAP and Active Directory
Integrating with third-party identity providers
Integrating with social identity providers
Allowing users to manage their data
Summary
Questions
Further reading
11
Authenticating Users
Authenticating Users
Technical requirements
Understanding authentication flows
Using passwords
Using OTPs
Using Web Authentication (WebAuthn)
Using strong authentication
Summary
Questions
Further reading
12
Managing Tokens and Sessions
Managing Tokens and Sessions
Technical requirements
Managing sessions
Managing tokens
Summary
Questions
Further reading
13
Extending Keycloak
Extending Keycloak
Technical requirements
Understanding service provider interfaces
Changing the look and feel
Customizing authentication flows
Looking at other customization points
Summary
Questions
Further reading
14
Securing Keycloak and Applications
Securing Keycloak and Applications
Securing Keycloak
Securing cluster communication
Securing user accounts
Securing applications
Summary
Questions
Further reading
15
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
16
Other Books You May Enjoy
Other Books You May Enjoy
17
Index
Index

Limiting the access granted to access tokens

As access tokens get passed around from the application to services, it is important to limit the access granted. Otherwise, any access token could potentially be used to access any resource the user has access to.

There are a few different strategies that can be used to limit access for a specific access token. These include the following:

  • Audience: Allows listing the resource providers that should accept an access token.
  • Roles: Through controlling what roles a client has access to, it is possible to control what roles an application can access on behalf of the user.
  • Scope: In Keycloak, scopes are created through client scopes, and an application can only have access to a specific list of scopes. Furthermore, when applications require consent, the user must also grant access to the scope.

Let's go through these one at a time and see exactly how this can be done with Keycloak, starting with audience.

Using the audience to limit token...

Previous Section
End of Section 2
Next Section