More Related Content
Similar to Guide of authentication and authorization for cloud native applications with Keycloak (20)
More from Hitachi, Ltd. OSS Solution Center. (20)
Guide of authentication and authorization for cloud native applications with Keycloak
- 1. © Hitachi, Ltd. 2023. All rights reserv ed.
Guide of authentication and authorization
for cloud native applications with Keycloak
Open Source Summit Japan 2023
Hitachi, Ltd.
OSS Solution Center
12/05/2023
Michito Okai
- 2. 1
© Hitachi, Ltd. 2023. All rights reserv ed.
About the speaker
• Specialist in authentication and authorization
➢ Engaged in authentication and authorization technical support
• Contributor of Keycloak which is Identity and Access Management (IAM) OSS
➢ OAuth 2.0 Device Authorization Grant [RFC8628]
➢ Performance improvement
➢ Security improvement for tokens
• Other activities
➢ Writer of web articles about IAM (Japanese)
Michito Okai
➢ Software Engineer
➢ Hitachi, Ltd.
➢ GitHub: @Michito-Okai
- 3. © Hitachi, Ltd. 2023. All rights reserv ed.
1. Importance of Authentication and Authorization
2. Introduction of Keycloak
3. Authentication for Cloud Native Applications with Keycloak
Contents
2
4. Authorization for Cloud Native Applications with Keycloak
- 4. © Hitachi, Ltd. 2023. All rights reserv ed.
Contents
3
1. Importance of Authentication and Authorization
2. Introduction of Keycloak
3. Authentication for Cloud Native Applications with Keycloak
4. Authorization for Cloud Native Applications with Keycloak
- 5. 4
© Hitachi, Ltd. 2023. All rights reserv ed.
What is Authentication and Authorization
Authorization is the process of verifying if user can access the
requested API.
? Authenticated
Authorized
Authentication is the process of verifying the user (client) who
(which) is requesting API.
can access?
?
API
can access?
?
API
Michito Okai
can access?
?
API
Michito Okai
can access
API
Michito Okai
- 6. 5
© Hitachi, Ltd. 2023. All rights reserv ed.
Security risks about “Authentication” and “Authorization”
in OWASP Top 10.
* OWASP Top 10 2021 https://owasp.org/Top10/
#7 Identificationand
AuthenticationFailures
Security risks about “Authentication” and “Authorization”
in OWASP Top 10 API Security.
* OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/
#2 BrokenAuthentication
Security Risks about Authentication and Authorization
in OWASP Top 10 and OWASP Top 10 API Security
#1 BrokenAccess Control
#1 BrokenObjectLevel
Authorization
#5 BrokenFunction Level
Authorization
#3 BrokenObjectProperty
LevelAuthorization
It is important to minimize security risks
by implementing appropriate authentication and authorization.
- 7. © Hitachi, Ltd. 2023. All rights reserv ed.
Contents
6
1. Importance of Authentication and Authorization
2. Introduction of Keycloak
3. Authentication for Cloud Native Applications with Keycloak
4. Authorization for Cloud Native Applications with Keycloak
- 8. 7
© Hitachi, Ltd. 2023. All rights reserv ed.
Major features
⚫ Support standard specifications. ex. OAuth
2.0, OpenID Connect 1.0, SAML v2, …
⚫ Login with social media.
⚫ Connect to existing user stores. ex. LDAP,
Active Directory, …
What is Keycloak
• Keycloak is Identity and Access Management (IAM) OSS.
Supporting Standard Specifications
Keycloak
LDAP
Active
Directory
RDB
OpenID Connect 1.0
SAML v2
GitHub
Twitter Facebook
Identity Management
Social Login
OAuth 2.0
- 9. 8
© Hitachi, Ltd. 2023. All rights reserv ed.
Keycloak for Cloud Native Environments
Keycloak has two advantages for cloud native environments.
1. Easy deployment on Kubernetes
2. Suitable for container environments
Keycloak changed based distribution from Wildfly to Quarkus.
• Keycloak starting time has been fast from 13.5 second to 8.7 second*
• Memory consumption of Keycloak at starting has been less from 407 MB
to 234 MB*
Quick scaling is possible
There are two ways to deploy Keycloak on Kubernetes.
① Using docker image
② Using Keycloak operator
* https://thinkit.co.jp/article/22308
- 10. 9
© Hitachi, Ltd. 2023. All rights reserv ed.
Keycloak joined CNCF as incubating project
In April 2023, Keycloak joined CNCF as an incubating project.
Keycloak will be de-facto standard IAM products for CNCF ecosystem.
- 11. 10
© Hitachi, Ltd. 2023. All rights reserv ed.
Minimization of Security Risks with Keycloak [1/3]
There are two important things to implement authentication and
authorization and to minimize security risks.
• Support standard specifications recommended by best current practice (BCP) to
protect from current attack methods
• Continue to support specifications recommended by new BCP to protect from
new evolved attack methods
Keycloak satisfies the above two important things.
Time
BCP
attack methods new attack methods new attack methods
new BCP new BCP
evolve evolve
evolve evolve
now
- 12. 11
© Hitachi, Ltd. 2023. All rights reserv ed.
Minimization of Security Risks with Keycloak [2/3]
Keycloak adheres the following standard specifications.
* OAuth 2.0 Security Best Current Practice Draft 24.
There are two important things to implement authentication and
authorization and to minimize security risks.
• Support standard specifications recommended by best current practice (BCP) to
protect from current attack methods
• Continue to support specifications recommended by new BCP to protect from
new evolved attack methods
OK
Keycloak supports
OAuth OIDC
[OpenID Connect Core],
[OpenID Connect Discovery],
[Financial-grade API: JWT Secured
Authorization Response Mode for
OAuth 2.0 (JARM)]
BCP*
[RFC6749],
[RFC6750],
[RFC7636],
[RFC9126],
[OAuth 2.0 Form Post
Response Mode]
[RFC7009],
[RFC7592],
[RFC7662],
[RFC8626],
[RFC8705]
[OpenID Connect
Dynamic Registration],
[Financial-grade API: Client
Initiated Backchannel
Authentication Profile]
- 13. 12
© Hitachi, Ltd. 2023. All rights reserv ed.
Minimization of Security Risks with Keycloak [3/3]
Keycloak is quick to support standard specifications.
• Keycloak has OAuth SIG (Special Interest Group) which implements security
standard specifications related to OAuth or OpenID Foundation.
-> Specialists of OAuth SIG discuss implementing standard specifications once a
month.
• The number of author in GitHub for one year is 311*1 and Keycloak ranked in 7th in
terms of the fastest-growing contributor counts*2.
-> It is expected that the community including OAuth SIG will continue to be active.
There are two important things to implement authentication and
authorization and to minimize security risks.
• Support standard specifications recommended by best current practice (BCP) to
protect from current attack methods
• Continue to support specifications recommended by new BCP to protect from
new evolved attack methods OK
*1 https://www.cncf.io/blog/2023/10/27/october-2023-where-we-are-with-velocity-of-cncf-lf-and-top-30-open-source-projects/
*2 https://octoverse.github.com/2022/state-of-open-source
- 14. © Hitachi, Ltd. 2023. All rights reserv ed.
Contents
13
1. Importance of Authentication and Authorization
2. Introduction of Keycloak
3. Authentication for Cloud Native Applications with Keycloak
4. Authorization for Cloud Native Applications with Keycloak
- 15. 14
© Hitachi, Ltd. 2023. All rights reserv ed.
Authentication for Cloud Native Applications
The following functions are useful in terms of authentication for cloud
native applications
• Single Sign On (SSO)
• Social Login
• Multi-Factor Authentication (MFA)
• WebAuthn (Passwordless Authentication)
• Passkeys (Passwordless Authentication)
- 16. 15
© Hitachi, Ltd. 2023. All rights reserv ed.
Single Sign On (SSO)
Single Sign On (SSO) is a system that allows you to use multiple
applications with one login.
Keycloak enables SSO by cookie authentication.
• Users do not have to input and manage username and password for each
application
Username:
Password:
Login
Username:
Password:
Login
Username:
Password:
Login
User
Username:
Password:
Login
Cloud native
application
Cloud native
application
Cloud native
application
Cloud native
application
Cloud native
application
Cloud native
application
Keycloak
User
- 17. 16
© Hitachi, Ltd. 2023. All rights reserv ed.
Social Login
Social Login is logging in services using account of social media.
Keycloak allows users to use account of social media such as GitHub,
Facebook, Twitter and Microsoft and so on.
• Users do not have to input user information such as name, address, e-mail,
telephone number and password and manage username and password.
User
Username:
Password:
Login
Login with GitHub
Login with Facebook
Keycloak
Facebook
Username:
Password:
Login
GitHub
Username:
Password:
Login
Cloud native
application
Cloud native
application
Cloud native
application
- 18. 17
© Hitachi, Ltd. 2023. All rights reserv ed.
Multi-Factor Authentication (MFA) [1/2]
Multi-Factor Authentication (MFA) is authenticating by using two or
more of the following three.
• Something You Know (ex: password)
• Something You Have (ex: authenticator)
• Something You Are (ex: fingerprint)
Keycloak authenticates using Something You Know and Something
You Have.
0. Register authenticator
Username:
Password:
Login
User
1. Password authentication
Keycloak
One Time Password
Submit
2. One time password authentication
Something You Know
(password)
Something You Have
(authenticator)
Authenticator
- 19. 18
© Hitachi, Ltd. 2023. All rights reserv ed.
Multi-Factor Authentication (MFA) [2/2]
Keycloak prevents illegal authentication even if attacker succeeds in
password authentication by an attack method such as dictionary
attack, password list-based attack, brute-force attack and reverse
brute-force attack.
Attacker
Keycloak
Password authentication succeeds
because attacker knows username and password.
One time Password authentication fails
because attacker does not have authenticator.
2. One time password authentication
1. Password authentication
Username:
Password:
Login
One Time Password
Submit
- 20. 19
© Hitachi, Ltd. 2023. All rights reserv ed.
WebAuthn (PasswordlessAuthentication) [1/2]
WebAuthn is authentication technology which enables passwordless
authentication and MFA.
Keycloak authenticates user without password.
• Users do not need to remember complex passwords.
• Phishing can be prevented in Keycloak.
User
challenge
Fingerprint authentication,
face authentication, etc.
→Something You Are (fingerprint)
Verify the signature.
→ Something You Have (authenticator)
Keycloak
Authenticator
(smart phone)
signature for challenge
Username:
Password:
Login
- 21. 20
© Hitachi, Ltd. 2023. All rights reserv ed.
WebAuthn (PasswordlessAuthentication) [2/2]
WebAuthn is authentication technology which enables passwordless
authentication and MFA.
Keycloak authenticates user without password.
• Users do not need to remember complex passwords.
• Phishing can be prevented in Keycloak.
User
Signature verification fails
because challenges 3 and 4 are different.
Keycloak
Attacker
Authenticator
(smart phone)
1. challenge
2. signature for challenge
4. signature for challenge
3. challenge
Fingerprint authentication,
face authentication, etc.
→Something You Are (fingerprint)
- 22. 21
© Hitachi, Ltd. 2023. All rights reserv ed.
Passkeys (Passwordless Authentication)
Passkeys is authentication technology which synchronizes credentials
between multi authenticators by Cloud Platform.
Keycloak authenticates user with multi authenticators.
• Users can use smart phones and PCs as authenticator.
User
When users lost or replace smart phone,
users can use PC or new smart phone as authenticator
without re-registration.
Keycloak
Authenticator
(smart phone) challenge
signature for challenge
Authenticator (PC)
Cloud Platform
✓ Improve user experience
- 23. © Hitachi, Ltd. 2023. All rights reserv ed.
Contents
22
1. Importance of Authentication and Authorization
2. Introduction of Keycloak
3. Authentication for Cloud Native Applications with Keycloak
4. Authorization for Cloud Native Applications with Keycloak
- 24. 23
© Hitachi, Ltd. 2023. All rights reserv ed.
Authorization for Cloud Native Applications
To support the following standard specifications is useful in terms of
authorization for cloud native applications.
• OAuth 2.0
• Financial-grade API (FAPI) 1.0
• OAuth 2.0 Device Authorization Grant
- 25. 24
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0
OAuth 2.0 is de-facto standard about issue of token which is essential
for authorization.
Keycloak issues tokens in compliance with OAuth 2.0.
User
6. API request w/ access token
xxx service
Keycloak
Client
0. use
7. API response
2. user authentication/authorization
1. authorization request via browser
4. token request
3. authorization response via browser
5. token response
(including access token)
There are attacks that cannot be prevented in OAuth 2.0.
- 26. 25
© Hitachi, Ltd. 2023. All rights reserv ed.
Specificationfor authorization by access token. It is a
framework of authorization, but improperimplementation
oftenleads to vulnerabilities.
Financial-grade API (FAPI) 1.0 [1/4]
OAuth 2.0
OIDC 1.0
FAPI 1.0
Some secure usage of OAuth 2.0 is introduced and OIDC
1.0 can be used for authentication by ID token.
However, improperimplementationis still not restricted.
Secure usage of OAuth 2.0/OIDC1.0 is described across
the protocolflow, including usage of optional specificationof
OAuth 2.0 (e.g. PKCE) and lower layer protocol(SSL/TLS)
usage.
FAPI 1.0 is a high-level API security specification describing secure
usage of OAuth 2.0 and OpenID Connect (OIDC) 1.0.
- 27. 26
© Hitachi, Ltd. 2023. All rights reserv ed.
Financial-grade API (FAPI) 1.0 [2/4]
OpenBanking using FAPI.
[UK : OpenBanking]
• OpenBanking Financial Grade API (FAPI) Profile
• OpenBanking CIBA Profile
[Australia : Consumer Data Right (CDR)]
• Consumer Data Right Security Profile
[Brazil : Open Banking Brasil]
• Open Banking/Finance Brasil Financial-grade API Security Profile
[Saudi Arabia : SAMA Open Banking]
• OpenBanking Financial Grade API (FAPI) Profile
- 28. 27
© Hitachi, Ltd. 2023. All rights reserv ed.
Financial-grade API (FAPI) 1.0 [3/4]
Keycloak prevents attacks that cannot be prevented in OAuth 2.0.
• Users can use services securely.
6. API request w/ access token
xxx service
Client
7. API response
Tampering of authorization request
API request sent by the attacker is successful
when attackers steal access token
1. authorization request via browser
4. token request
Tampering of authorization response
3. authorization response via browser
5. token response
(including access token)
User
Keycloak
0. use
2. user authentication/authorization
- 29. 28
© Hitachi, Ltd. 2023. All rights reserv ed.
Financial-grade API (FAPI) 1.0 [4/4]
Keycloak prevents attacks that cannot be prevented in OAuth 2.0.
• Users can use services securely.
Client can detect tampering
of authorization response
Keycloak can detect tampering
of authorization request
xxx service can reject API request
with stolen access token
User
6. API request w/ access token
xxx service
Keycloak
Client
0. use
7. API response
Authorization response with signature
Access token has information of the client certification
1. authorization request via browser
4. token request
Authorization request with signature
2. user authentication/authorization
3. authorization response via browser
5. token response
(including access token)
- 30. 29
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [1/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
2. device authorization response w/ verification_uri and user code
User
Client
(smart TV)
URI: https://…
user code:xxx
- 31. 30
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [2/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
2. device authorization response w/ verification_uri and user code
User
smart phone
Client
(smart TV)
URI: https://…
user code:xxx
3. input
- 32. 31
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [3/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
3’. token request
2. device authorization response w/ verification_uri and user code
4’. token response
(not including access token)
User
smart phone
Client
(smart TV)
URI: https://…
user code:xxx
3. input
- 33. 32
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [4/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
5. token request
2. device authorization response w/ verification_uri and user code
6. token response
(including access token)
User
smart phone
4. user and user code authentication/authorization
7. API request w/ access token
8. API response
Client
(smart TV)
URI: https://…
user code:xxx
3. input
- 34. 33
© Hitachi, Ltd. 2023. All rights reserv ed.
Summary[1/2]
• Authentication and Authorization is important.
• Keycloak joined CNCF as an incubating project.
->Keycloak will be de-facto standard IAM product for CNCF
ecosystem.
• Authentication and Authorization for Cloud Native Applications with
Keycloak.
• Single Sign On (SSO)
• Social Login
• Multi-Factor Authentication (MFA)
• WebAuthn (Passwordless Authentication)
• Passkeys (Passwordless Authentication)
• OAuth 2.0
• Financial-grade API (FAPI) 1.0
• OAuth 2.0 Device Authorization Grant
Authentication Authorization
- 35. 34
© Hitachi, Ltd. 2023. All rights reserv ed.
Summary[2/2]
• If you would like to know more about Keycloak, please see below.
• Official documentation
https://www.keycloak.org/documentation
• GitHub
https://github.com/keycloak/keycloak
• Book written by the Keycloak project leader
https://www.amazon.co.jp/Keycloak-Identity-Management-Applications-applications-
ebook/dp/B0BPY1RDND?language=en_US¤cy=USD
- 36. 35
© Hitachi, Ltd. 2023. All rights reserv ed.
Trademarks
• OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other
countries.
• GitHub is a trademark or registered trademarkof GitHub, Inc. in the United States and other countries.
• Facebookis a trademark or registered trademark of Meta Platforms,Inc. in the United States and other
countries.
• Twitter is a trademark or registeredtrademark of X Corp.in the United States and other countries.
• Microsoftis a trademark of the Microsoftgroup of companies.
• Other brand names and product names used in this material are trademarks, registeredtrademarks, or
trade names of their respective holders.
- 37. © Hitachi, Ltd. 2023. All rights reserv ed.
Michito Okai
12/05/2023
Hitachi, Ltd.
OSS Solution Center
END
Guide of authentication and authorization
for cloud native applications with Keycloak
36