Thursday, 21 June 2018

Keycloak Cordova Browser Tabs support

Thanks to gtudan we finally have support for browser tabs for Cordova in our JavaScript adapter. This enables using a system browser tab to do the login flows to Keycloak, which brings better security and also single sign-on and single sign-out to mobile applications secured with Keycloak.

This will be included in Keycloak 4.1.0.Final which will be released soon. In the meantime check this screen-cast to see this in action!

Sunday, 17 June 2018

Red Hat Single Sign-On in Keynote demo on Red Hat Summit!

Red Hat Summit is one of the most important events during the year. Many geeks, Red Hat employees and customers have great opportunity to meet, learn new things and attend lots of interesting presentations and trainings. During the summit this year, there were few breakout sessions, which were solely about Keycloak and Red Hat SSO. You can take a look at this blogpost for more details.

One of the most important parts of Red Hat Summit are Keynote demos, which show the main bullet points and strategies going forward. Typically they also contain the demos of the most interesting technologies, which Red Hat uses.

On the Thursday morning keynote, there was this demo to show the Hybrid Cloud with 3 clouds (Azure, Amazon, Private) in action! There were many technologies and interesting projects involved. Among others, let's name Red Hat JBoss Data Grid (JDG), OpenWhisk or Gluster FS. The RH-SSO (Red Hat product based on Keycloak project) had a honor to be used as well.

Red Hat SSO setup details

The frontend of the demo was the simple mobile game. RH-SSO was used at the very first stage to authenticate users to the mobile game. Each attendee had an opportunity to try it by yourself. In total, we had 1200 players of the game.

There was loadbalancer up-front and every user was automatically forwarded to one of the 3 clouds. The mobile application used RH-SSO Javascript adapter (keycloak.js) to communicate with RH-SSO.

With Javascript application, whole OpenID Connect login flow happens within browser and hence can rely on sticky session. So since Javascript adapter is used, you may think that we can do just "easy" setup and let the RH-SSO instances across all 3 clouds to be independent of each other and have each of them to use separate RDBMS and infinispan caches. See the image below for what such a setup would look like:

With this setup, every cloud is aware just about the users and sessions created on itself. This is fine with sticky session, but it won’t work for failover scenarios in case if one of the 3 clouds is broken/removed. There are also other issues with it - for example that admins and users see just sessions created on particular cloud. There are also potential security issues. For example when admin disables user on one cloud, user would still be enabled on other clouds as changes to user won’t be propagated to other clouds.

So we rather want to show more proper setup aware of the replication. Also because one part of the demo was showing failover in action. One of the 3 clouds (Amazon) was killed and users, who were previously logged in Amazon, were redirected to one of the remaining 2 clouds. The point was that the end user won't be able to recognize any change. Hence users previously logged in Amazon must be still able to refresh their tokens in Azure or Private cloud. This in turn meant that the data (both users, user sessions and caches) need to be aware of all 3 clouds.

In Keycloak 3.X, we added support for Cross-datacenter (Cross-site) setup with usage of external JDG servers to replicate data among datacenters (tech preview in RH-SSO 7.2). The demo was using exactly this setup. Each site had JDG server and all 3 sites communicate with each other through those JDG servers. This is standard JDG Cross-DC setup. See the picture below for what the demo looked like:

The JDG servers were not used during the demo just for the purpose of the RH-SSO, but also for the purpose of other parts of the demo. The details are described in the other blog by Sebastian Laskawiec. The JDG servers were setup with ASYNC backups, which was more effective and was completely fine for the purpose of the demo due the fact that mobile application was using keycloak.js adapter. See RH-SSO docs for more details.

Red Hat SSO customizations

The RH-SSO was using standard RH-SSO openshift image . For Cross-DC setup, we needed to do configuration changes as described in the RHSSO documentation . Also few other customizations were done.

JDG User Storage

RH-SSO Cross-DC setup currently requires both replicated RDBMS and replicated JDG server. When preparing to demo, we figured that using the clustered RDBMS in OpenShift replicated across all 3 clouds, is not very straightforward thing to setup.

Fortunately RH-SSO is highly customizable platform and among other things, it provides supported User Storage SPI , which allows customers to plug their own storage for RH-SSO users. So instead of setup of replicated RDBMS, we created custom JDG User Storage. So users of the example realm were saved inside JDG instead of the RDBMS Database.

Lessons learned is, that we want to make the Keycloak/RH-SSO Cross-DC setup simpler for administrators. Hence we're considering removing the need for replicated RDBMS entirely and instead store all realms and users metadata within JDG. So just replicated JDG would be a requirement for Cross-DC setup.

Other customizations

For the purpose of the demo, we did custom login theme. We also did Email-Only authenticator, which allows to register user just by providing their email address. This is obviously not very secure, but it's pretty neat for the example purpose. Keynote users were also able to login with Google Identity Provider or Red Hat Developers OpenID Connect Identity Provider, which was useful for users, who already had an account in those services.

If you want to try all these things in action, you can try to checkout our Demo Project on Github and deploy it to your own openshift cluster! If you have 3 clouds, even better! You can try the full setup including JDG to try exactly the setup we used during keynote demo.

Thursday, 14 June 2018

Keycloak 4.0.0.Final Released

To download the release go to the Keycloak homepage.

For details on what is included in the release check out the Release notes

The full list of resolved issues is available in JIRA.

Before you upgrade remember to backup your database and check the upgrade guide for anything that may have changed.

Thursday, 31 May 2018

Keycloak on OpenShift

In this post you'll see how to deploy Keycloak on OpenShift. You'll also learn how to deploy a Node.js based REST service and an HTML5 application to OpenShift and secure these with Keycloak.

There is also a screencast showing this example at https://youtu.be/9zUWqbK3BqI.

If you don't already have OpenShift available a good place to start is by using MiniShift.

Deploying Keycloak

First of all create a new project in OpenShift with oc by running:

oc new-project keycloak

The next thing to do is to import the Keycloak template into OpenShift, by running:

oc replace --force -f "https://raw.githubusercontent.com/jboss-dockerfiles/keycloak"\
"/master/openshift-examples/keycloak-https.json"

Now open the OpenShift console and open the keycloak project.

Click on Add to Project and Browse Catalog. In the catalog you should find Keycloak. Click on it.

Click next on the information. Under configuration set a username and password that you can remember in the Keycloak Administrator Username and Keycloak Administrator Password fields. Then click on create. Click on Continue to project overview.

Wait for the deployment to complete then click on the link to the application. Your browser will complain about the certificate as it is a self-signed certificate. Ignore this and proceed. Click on Administration Console, then login with the username and password you entered previously. Keep this tab open as you will need it later.

You have now deployed Keycloak onto OpenShift.

Configure Clients in Keycloak

We need to create clients for the service and the application we will secure.

Open the tab with the Keycloak admin console. Click on Clients and Create. For Client ID enter service and click Save. Under Access Type select bearer-only and click on Save.

Click on Clients then Create again. For Client ID enter app and click Save. For Valid Redirect URIs and Web Origins enter *. In production environment it is very important that you enter the correct URL for your application, but since this is a demonstration we will simply allow all URLs for simplicity. You can easily update these to the correct URLs for the application after it has been deployed.

Keep the Keycloak admin console tab open as again you will need it later.

Deploy the Service

Go back to the tab with the OpenShift console and click on Add to Project and Browse Catalog again. This time click on Node.js. Click next on Information, then click on advanced options under Configuration.

Make the following changes:

  • Name: service
  • Git Repository URL: https://github.com/stianst/misc.git
  • Context Dir: openshift/service
  • Secure route: enable
  • TLS Termination: Edge
  • Insecure Traffic: Redirect
  • Deployment Config
    • KEYCLOAK_URL=https://secure-keycloak-keycloak.192.168.42.52.nip.io/auth
Replace the value for KEYCLOAK_URL with the URL for Keycloak. You can find this by going back to the tab with the Keycloak admin console (copy the URL up to and including "/auth").

Click on Create then Continue to the project overview. Wait for the build and deployment to complete then click on the link to the application. You should see "Not found!". Add "/service/public" to the url and you should see "message: public" in JSON.

You have now deployed and secured the service. Keep this tab open as well as you need it later.

Deploy the Application

Go back to the tab with the OpenShift console and click on Add to Project and Browse Catalog again. This time click on PHP. Click next on Information, then click on advanced options under Configuration.

Make the following changes:

  • Name: app
  • Git Repository URL: https://github.com/stianst/misc.git
  • Context Dir: openshift/app
  • Secure route: enable
  • TLS Termination: Edge
  • Insecure Traffic: Redirect
  • Deployment Config
    • KEYCLOAK_URL=https://secure-keycloak-keycloak.192.168.42.52.nip.io/auth
    • SERVICE_URL=https://service-keycloak.192.168.42.240.nip.io/service
Replace the value for KEYCLOAK_URL with the URL for Keycloak. You can find this by going back to the tab with the Keycloak admin console (copy the URL up to and including "/auth"). Also, replace the value for SERVICE_URL with the URL for the Service. You can find this by going back to the tab with the service (copy the URL up to and including "/service").

Click on Create then Continue to the project overview. Wait for the build and deployment to complete then click on the link to the application. You should already be logged-in. You can now invoke the service by clicking on Invoke Public to invoke the unsecured endpoint or Invoke Admin to invoke the endpoint secured with the admin role. If you click on Invoke Secured it will fail as the admin user you are logged in with does not have the user role. To be able to invoke this endpoint as well go back to the Keycloak admin console. Create a realm role named user. Then go to users find your admin user and under role mappings add the user role to the user.

You have now deployed and secured the application as well as seen how the application can securely invoke the service you deployed previously.

Thursday, 24 May 2018

Keycloak 4.0.0.Beta3 Released

To download the release go to the Keycloak homepage.

Highlights


Fuse 7 Adapter

There's now support for Fuse 7.

Cordova options in JavaScript adapter

It's now possible to pass Cordova specific options to login and other methods in the JavaScript adapter. Thanks to loorent for the contribution.

Search by user id on admin console

If you wanted to search by a user by id in the admin console you had to edit the URL. It's now possible to do it directly in the user search field.

More...

The full list of resolved issues is available in JIRA.

Upgrading

Before you upgrade remember to backup your database and check the upgrade guide for anything that may have changed.

Wednesday, 2 May 2018

Red Hat Single Sign-On @ Red Hat Summit

At Red Hat Summit this year there are no less than 4 sessions about Red Hat Single Sign-On! If you are going to Summit make sure to join us.

OpenShift + single sign-on = Happy security teams and happy users

Dustin Minnich, Joshua Cain, Jared Blashka, Brian Atkisson. Tuesday 4 PM.

One username and password to rule them all.

In this lab, we'll discuss and demonstrate single sign-on technologies and how to implement them using Red Hat products. We'll take you through bringing up an OpenShift cluster in a development environment, installing Red Hat single sign-on on top of it, and then integrating that with a variety of example applications.

Securing service mesh, microservices, and modern applications with JSON Web Token (JWT)

Stian Thorgersen, S├ębastien Blanc. Wednesday 10:30 AM.

Sharing identity and authorization information between applications and services should be done with an open industry standard to ensure interoperability in heterogeneous environments. Javascript Object Signing and Encryption (JOSE) is a framework for securely sharing such information between heterogeneous applications and services.

In this session, we’ll cover the specifications of the JOSE framework, focusing especially on JSON Web Token (JWT). We’ll discuss practical applications of the JOSE framework, including relevant specifications, such as OpenID Connect. After this session, you’ll have an understanding of the specifications and how to easily adopt them using Red Hat single sign-on or another OpenID Connect provider.

Red Hat single sign-on: Present and future

Boleslaw Dawidowicz, John Doyle. Wednesday 3:30 PM.

Red Hat single sign-on (SSO) provides web SSO with modern, token-based protocols, such as OAuth and OpenID Connect. This session will highlight the features of the latest release and show the future direction of the technology within the Red Hat portfolio.

Securing apps and services with Red Hat single sign-on

S├ębastien Blanc, Stian Thorgersen. Thursday 1:00 PM.

If you have a number of applications and services, the applications may be HTML5, server-side, or mobile, while the services may be monolithic or microservices, deployed on-premise or to the cloud. You may have started looking at using a service mesh. Now, you need to easily secure all these applications and services.

Securing applications and services is no longer just about assigning a username and password. You need to manage identities. You need two-factor authentication. You need to integrate with legacy and external authentication systems. Your list of other requirements may be long. But you don’t want to develop all of this yourself—nor should you.

In this session, we’ll demonstrate how to easily secure all your applications and services—regardless of how they're implemented and hosted—with Red Hat single sign-on. After this session, you'll know how to secure your HTML5 application or service, deployed to a service mesh and everything in between. Once your applications and services are secured with Red Hat single sign-on, you'll know how to easily adopt single sign-on, two-factor authentication, social login, and other security capabilities.

Keycloak 4.0.0.Beta2 released

To download the release go to the Keycloak homepage.

Highlights


Pushed Claims

With pushed claims it is now possible for clients to push additional claims to have them used by policies when evaluating permissions.

Resource Attributes

It is now possible to define attributes on resources in order to have them used by policies when evaluating permissions.

Spring Boot 2 support

We now have support for Spring Boot 2.

Instagram identity provider

Thanks to hguerrero it is now easy to enable login with Instagram.

Slovak translation

Thanks to Joe32 we now have Slovak translations.

More...

The full list of resolved issues is available in JIRA.

Upgrading

Before you upgrade remember to backup your database and check the upgrade guide for anything that may have changed.