TOC training Keycloak RedhatSSO advanced
3 likes825 views
This document provides an overview of training for KeyCloak - Redhat SSO advanced topics. It covers various prerequisites and then discusses several advanced KeyCloak topics like using the SPI to add a custom event listener, debugging KeyCloak SPIs using Eclipse, configuring the KeyCloak logger, enabling multifactor authentication using OTP, understanding MFA concepts in KeyCloak, mapping LDAP groups to KeyCloak roles, getting an access token from LDAP values, using client scopes, understanding client authenticators, understanding token usage including offline tokens, examples of using offline tokens, understanding KeyCloak user federation, customizing the KeyCloak authentication flow, using the Apache mod_auth_openidc module with KeyCloak
TOC training Keycloak RedhatSSO advanced
- 1. Training KeyCloak - Redhat SSO advanced Avril 2019
- 2. Table des matières 1 History.............................................................................................................................................9 2 Prerequisites..................................................................................................................................10 2.1 Presentation................................................................................................................................10 2.2 Cloning Rh-SSO quickstart examples........................................................................................10 2.3 Cloning Keycloak examples.......................................................................................................11 2.3.1 Clone Project........................................................................................................................11 2.3.2 Compiling keycloak.............................................................................................................11 3 Using Keycloak SPI – adding a custom Event Listener module...................................................12 3.1 Presentation................................................................................................................................12 3.2 Installing event Listener jar module...........................................................................................12 4 Using Eclipse to debug Keycloak SPIs.........................................................................................22 4.1 Presentation................................................................................................................................22 4.2 Requirements..............................................................................................................................22 4.3 Creating a new eclipse debugging workspace............................................................................22 4.4 Importing keycloak examples maven project.............................................................................23 4.5 Launching keycloak server in debug mode................................................................................24 4.6 Attaching Eclipse Debugger to Keycloak...................................................................................25 4.6.1 Setting the Eclipse Debug configuration.............................................................................26 4.6.2 Filling Debug configuration information.............................................................................26 4.6.3 Debug Connexion................................................................................................................28 4.7 Debugging example....................................................................................................................28 4.7.1 Set a breakpoint...................................................................................................................28 4.7.2 Triggering breakpoint in EventListener SPI........................................................................29 5 Keycloak logger.............................................................................................................................31 5.1 Presentation................................................................................................................................31 5.2 Adjusting the log dynamically....................................................................................................31 5.2.1 Reading the current root-logger value.................................................................................31 5.2.2 Updating the root-logger value............................................................................................32 6 Keycloak Multifactor authentication (MFA) using OTP...............................................................33 6.1 Presentation................................................................................................................................33 6.2 Demo_otp realm.........................................................................................................................33 6.3 Modifying demo_otp Authentication Workflow........................................................................33 6.4 Mobile Authenticator..................................................................................................................34 6.5 Authentication of a user for the 1st time......................................................................................34 6.6 Authentication of a user (after 1st time)......................................................................................37 6.7 Keycloak OTP............................................................................................................................38 7 MFA with Keycloak.......................................................................................................................39 7.1 Presentation................................................................................................................................39 7.2 Keycloak OTP MFA versus SMS-OTP......................................................................................39 7.3 LOA concepts and MFA usage..................................................................................................39 7.4 Keycloak/RH-SSO Authentication flow and MFA....................................................................40 7.4.1 RH-SSO 7.2/ (Keycloak 3.4.3)............................................................................................40 7.4.2 Keycloak 4.6 (Latest)...........................................................................................................40 7.4.3 Upcoming release 5.X – Jira tickets....................................................................................41 7.5 Keycloak/RH-SSO MFA synthesis.............................................................................................41 8 Mapping LDAP Group to Keycloak Roles....................................................................................42 8.1 Presentation................................................................................................................................42
- 3. 8.2 LDAP Group to keycloak Roles mapping workflow.................................................................42 8.3 Concrete application: creating an ldap/SSO admin....................................................................42 8.4 Use case example.......................................................................................................................42 8.4.1 Example requirements.........................................................................................................42 8.4.2 Installing keycloak example ldap........................................................................................43 8.4.3 Connecting with Jexplorer to the embedded LDAP server.................................................43 8.4.4 Browsing the embedding ldap.............................................................................................44 8.5 User Federation with Ldap.........................................................................................................45 8.5.1 Setting up ldap user federation connector...........................................................................45 8.5.2 defining LDAP synchronisation..........................................................................................46 8.6 Adding group ldap mapper.........................................................................................................48 8.6.1 Creating ldap group mapping..............................................................................................48 8.6.2 Synchronizing ldap group mapping.....................................................................................49 8.7 Adding SSO Role to keycloak group..........................................................................................50 8.7.1 Keycloak ldap-admin group................................................................................................50 8.7.2 Adding a Keycloak role to this ldap-admin group...............................................................50 8.8 Testing workflow........................................................................................................................51 8.8.1 Creation of a new ldap user.................................................................................................51 8.8.2 Ldap-user part part of ldap-admin group.............................................................................51 8.8.3 Keycloak ldap synchronization............................................................................................51 8.8.4 new user with keycloak role admin rights...........................................................................52 8.9 Logging to the admin console with a new admin user-basis......................................................52 9 Getting Keycloak Access Token from LDAP values.....................................................................54 9.1 Installing wildfly 14...................................................................................................................54 9.1.1 Installation of wildfly 14.....................................................................................................54 9.1.2 Installation of Jboss EAP connector for wildfly..................................................................54 9.2 Starting keycloak auth server (port 8180)..................................................................................55 9.3 Registering ldap-app client into keycloak server......................................................................55 9.4 Import LDAP user......................................................................................................................56 9.4.1 Starting embedded LDAP server.........................................................................................56 9.4.2 Defining LDAP User Federation.........................................................................................56 9.4.3 Defining Role Ldap-mapper................................................................................................57 9.4.4 LDAP role synchronization.................................................................................................58 9.4.5 Postal code...........................................................................................................................59 9.4.6 Syncing Ldap User..............................................................................................................59 9.5 Deploying ldap-portal webapp...................................................................................................61 9.5.1 Fix Keycloak Auth URI.......................................................................................................61 9.5.2 Compiling and installing ldap-portal webapp......................................................................61 9.6 Testing the example....................................................................................................................62 9.6.1 Postal code for user bwilson................................................................................................62 9.6.2 Testing the ldap-portal webapp............................................................................................62 9.7 Examining Source code example...............................................................................................64 9.7.1 ldap-portal source code........................................................................................................64 9.7.2 Java documentation: Security Context................................................................................65 10 Using Client Scope with Keycloak..............................................................................................67 10.1 Presentation..............................................................................................................................67 10.2 Scope and claims Openid Core definition................................................................................67 10.3 Using Scope and Claims...........................................................................................................68 10.4 Using scope with keycloak.......................................................................................................68
- 4. 10.4.1 Using Keycloak Access Token..........................................................................................68 10.4.2 Keycloak attribute and role scope......................................................................................69 10.4.3 Keycloak access token example using scope.....................................................................69 10.5 Accessing the access token using direct grant..........................................................................69 10.5.1 ROPC workflow definition................................................................................................69 10.5.2 Enabling ROPC with keycloak..........................................................................................70 10.6 Scripting Token Access using ROPC workflow.......................................................................71 10.7 Creating a new scope to expose postalcode claim....................................................................72 10.7.1 Creating info scope within ldap-demo realm.....................................................................72 10.7.2 Mappers of info scope.......................................................................................................73 10.8 Using the new scope in REST API query.................................................................................75 10.9 Configuring keycloak client scope...........................................................................................76 10.9.1 Configuring info scope as an optional client scope...........................................................76 10.9.2 ResT API query displaying info scope..............................................................................76 10.10 Using keycloak Generator to evaluate scope..........................................................................77 11 Understanding client Authenticator security...............................................................................80 11.1 client_id/client_secret security issue........................................................................................80 11.2 Using other Keycloak client authenticator...............................................................................80 11.3 Using Signed JWT client authenticator....................................................................................80 11.4 JWKS_URI...............................................................................................................................81 11.5 Signed JWT allocator – example..............................................................................................81 11.5.1 Product-portal example......................................................................................................82 11.5.2 Registration of the product-portal client application in keycloak......................................82 11.5.3 Keycloak.json file (product-portal app).............................................................................82 11.5.4 Client-app keystore............................................................................................................83 11.6 Log trace...................................................................................................................................83 12 Understanding Token usage.........................................................................................................86 12.1 Token Lifecycle........................................................................................................................86 12.2 Understanding Keycloak session scope....................................................................................86 12.2.1 session creation..................................................................................................................86 12.2.2 Session usage.....................................................................................................................86 12.2.3 Session termination............................................................................................................87 12.2.4 Importance of session control – potential security vulnerability.......................................87 12.3 Keycloak Access Token............................................................................................................87 12.4 Offline access token..................................................................................................................89 12.4.1 Methods to deliver an access token...................................................................................89 12.4.2 Offline token presentation.................................................................................................89 12.4.3 How to use keycloak offline token....................................................................................90 12.4.4 Difference between an offline and refresh token...............................................................90 12.4.5 Offline Session Max Limited.............................................................................................90 12.5 Lifecycle of offline token.........................................................................................................90 12.5.1 Offline token creation........................................................................................................91 12.5.2 Offline token flow operations............................................................................................91 12.5.3 Offline token usage – getting an access token...................................................................91 12.5.4 Revoking offline token......................................................................................................91 13 Examples of Offline token usage.................................................................................................92 13.1 Using offline Token through direct access grant flow..............................................................92 13.1.1 Requirement.......................................................................................................................92 13.1.2 Token lifespan....................................................................................................................92
- 5. 13.1.3 Setting the maximum invokation of refresh token............................................................93 13.1.4 Script used to offline token................................................................................................94 13.2 Revoking the offline token.......................................................................................................96 13.2.1 Revokation of the offline token through the admin UI......................................................96 13.2.2 Through the user self service panel...................................................................................97 13.3 Necessity of adding offline in client request scope..................................................................97 13.3.1 Request without client scope.............................................................................................97 13.3.2 Request with client scope..................................................................................................98 13.4 Keycloak offline example.........................................................................................................98 13.4.1 Step1 – User needs to log to the app An offline access token is generated.......................99 13.4.2 Step 2 – user logs out from app.........................................................................................99 13.4.3 step3 – the app can access to the resources using the offline access token.....................100 14 Understanding keycloak user Fedaration..................................................................................100 14.1 Overview................................................................................................................................100 14.2 User Federation storage Provider...........................................................................................100 14.3 Keycloak default local userstorage (SQL database)...............................................................100 14.3.1 Synchronizing LDAP users to keycloak..........................................................................100 14.3.2 Synchronizing newly created Keycloak users to LDAP..................................................101 14.3.3 Dealing with keycloak – LDAP synchronization parameter...........................................102 14.4 Using Keycloak user Federation SPI......................................................................................102 14.5 Using Keycloak Provider interfaces.......................................................................................103 14.6 keycloak user storage simple (read-only)...............................................................................103 14.6.1 Deploying providers........................................................................................................103 14.7 User storega simple provider (write only)..............................................................................106 14.7.1 Configuring the write only provider................................................................................106 14.7.2 example-user.properties...................................................................................................106 14.7.3 Logging to keycloak........................................................................................................107 14.7.4 Displaying all the users....................................................................................................107 14.8 Keycloak user storage JPA provider.......................................................................................108 14.8.1 Presentation......................................................................................................................109 14.8.2 Using JPA........................................................................................................................109 14.8.3 Keycloak user storage jpa example.................................................................................109 14.8.4 Testing XA data source with keycloak console management..........................................111 14.8.5 Testing with with the Ejb appl.........................................................................................112 14.8.6 Rendering users visible in the admin console..................................................................112 14.9 Pointers...................................................................................................................................113 15 Understanding Keycloak Authentication...................................................................................114 15.1 Presentation.............................................................................................................................114 15.2 Authentication TAB selection.................................................................................................114 15.3 Authentication Binding...........................................................................................................115 15.4 Authentication Flow................................................................................................................116 15.4.1 Authentication flow presentation.....................................................................................116 15.4.2 Browser authentication flow............................................................................................117 15.4.3 Direct Authentication Grant flow....................................................................................117 15.4.4 Registration Flow.............................................................................................................118 15.4.5 Reset Credentials.............................................................................................................118 15.4.6 First Broker Login Flow..................................................................................................119 15.4.7 Client authentication flow................................................................................................120 15.5 Required Actions....................................................................................................................120
- 6. 15.6 Customising authenticator flow..............................................................................................121 15.6.1 Reference.........................................................................................................................122 15.6.2 Installing the authenticator example................................................................................122 15.6.3 Deploying the customized authenticator flow.................................................................122 16 Using apache2 mod_auth_openidc module with Keycloak (OpenID Connect)........................129 16.1 Presentation............................................................................................................................129 16.2 openID protocol recap............................................................................................................129 16.3 Putting mod_auth_openidc in place.......................................................................................131 16.4 Enabling mod_auth_openidc module with apache2...............................................................131 16.4.1 Getting hold of the library...............................................................................................131 16.4.2 Configuring keycloak Server for mod_auth_openidc......................................................131 16.5 Configuration of mod_auth_openidc module.........................................................................132 16.6 Example.................................................................................................................................134 16.7 6) Using the hook mod_auth_openidc....................................................................................135 16.8 Keycloak and NGINX............................................................................................................135 17 Protecting Keycloak/RH-SSO in production with a Reverse Proxy Architecture....................136 17.1 1) Why adding a reverse proxy...............................................................................................136 17.2 2) Architectural deployment example....................................................................................136