Guide of authentication and authorization for cloud native applications with Keycloak
0 likes160 views
This document provides an overview and summary of a presentation about authentication and authorization for cloud native applications using Keycloak. The presentation introduces Keycloak as an open source identity and access management solution, discusses the importance of authentication and authorization, and describes how Keycloak can be used for authentication methods like single sign-on, social login, and multi-factor authentication as well as authorization standards like OAuth 2.0 and Financial-Grade API 1.0. It also covers Keycloak features that help secure cloud native environments and applications.
![1
© Hitachi, Ltd. 2023. All rights reserv ed.
About the speaker
• Specialist in authentication and authorization
➢ Engaged in authentication and authorization technical support
• Contributor of Keycloak which is Identity and Access Management (IAM) OSS
➢ OAuth 2.0 Device Authorization Grant [RFC8628]
➢ Performance improvement
➢ Security improvement for tokens
• Other activities
➢ Writer of web articles about IAM (Japanese)
Michito Okai
➢ Software Engineer
➢ Hitachi, Ltd.
➢ GitHub: @Michito-Okai](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-2-320.jpg)
![10
© Hitachi, Ltd. 2023. All rights reserv ed.
Minimization of Security Risks with Keycloak [1/3]
There are two important things to implement authentication and
authorization and to minimize security risks.
• Support standard specifications recommended by best current practice (BCP) to
protect from current attack methods
• Continue to support specifications recommended by new BCP to protect from
new evolved attack methods
Keycloak satisfies the above two important things.
Time
BCP
attack methods new attack methods new attack methods
new BCP new BCP
evolve evolve
evolve evolve
now](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-11-320.jpg)
![11
© Hitachi, Ltd. 2023. All rights reserv ed.
Minimization of Security Risks with Keycloak [2/3]
Keycloak adheres the following standard specifications.
* OAuth 2.0 Security Best Current Practice Draft 24.
There are two important things to implement authentication and
authorization and to minimize security risks.
• Support standard specifications recommended by best current practice (BCP) to
protect from current attack methods
• Continue to support specifications recommended by new BCP to protect from
new evolved attack methods
OK
Keycloak supports
OAuth OIDC
[OpenID Connect Core],
[OpenID Connect Discovery],
[Financial-grade API: JWT Secured
Authorization Response Mode for
OAuth 2.0 (JARM)]
BCP*
[RFC6749],
[RFC6750],
[RFC7636],
[RFC9126],
[OAuth 2.0 Form Post
Response Mode]
[RFC7009],
[RFC7592],
[RFC7662],
[RFC8626],
[RFC8705]
[OpenID Connect
Dynamic Registration],
[Financial-grade API: Client
Initiated Backchannel
Authentication Profile]](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-12-320.jpg)
![12
© Hitachi, Ltd. 2023. All rights reserv ed.
Minimization of Security Risks with Keycloak [3/3]
Keycloak is quick to support standard specifications.
• Keycloak has OAuth SIG (Special Interest Group) which implements security
standard specifications related to OAuth or OpenID Foundation.
-> Specialists of OAuth SIG discuss implementing standard specifications once a
month.
• The number of author in GitHub for one year is 311*1 and Keycloak ranked in 7th in
terms of the fastest-growing contributor counts*2.
-> It is expected that the community including OAuth SIG will continue to be active.
There are two important things to implement authentication and
authorization and to minimize security risks.
• Support standard specifications recommended by best current practice (BCP) to
protect from current attack methods
• Continue to support specifications recommended by new BCP to protect from
new evolved attack methods OK
*1 https://www.cncf.io/blog/2023/10/27/october-2023-where-we-are-with-velocity-of-cncf-lf-and-top-30-open-source-projects/
*2 https://octoverse.github.com/2022/state-of-open-source](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-13-320.jpg)
![17
© Hitachi, Ltd. 2023. All rights reserv ed.
Multi-Factor Authentication (MFA) [1/2]
Multi-Factor Authentication (MFA) is authenticating by using two or
more of the following three.
• Something You Know (ex: password)
• Something You Have (ex: authenticator)
• Something You Are (ex: fingerprint)
Keycloak authenticates using Something You Know and Something
You Have.
0. Register authenticator
Username:
Password:
Login
User
1. Password authentication
Keycloak
One Time Password
Submit
2. One time password authentication
Something You Know
(password)
Something You Have
(authenticator)
Authenticator](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-18-320.jpg)
![18
© Hitachi, Ltd. 2023. All rights reserv ed.
Multi-Factor Authentication (MFA) [2/2]
Keycloak prevents illegal authentication even if attacker succeeds in
password authentication by an attack method such as dictionary
attack, password list-based attack, brute-force attack and reverse
brute-force attack.
Attacker
Keycloak
Password authentication succeeds
because attacker knows username and password.
One time Password authentication fails
because attacker does not have authenticator.
2. One time password authentication
1. Password authentication
Username:
Password:
Login
One Time Password
Submit](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-19-320.jpg)
![19
© Hitachi, Ltd. 2023. All rights reserv ed.
WebAuthn (PasswordlessAuthentication) [1/2]
WebAuthn is authentication technology which enables passwordless
authentication and MFA.
Keycloak authenticates user without password.
• Users do not need to remember complex passwords.
• Phishing can be prevented in Keycloak.
User
challenge
Fingerprint authentication,
face authentication, etc.
→Something You Are (fingerprint)
Verify the signature.
→ Something You Have (authenticator)
Keycloak
Authenticator
(smart phone)
signature for challenge
Username:
Password:
Login](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-20-320.jpg)
![20
© Hitachi, Ltd. 2023. All rights reserv ed.
WebAuthn (PasswordlessAuthentication) [2/2]
WebAuthn is authentication technology which enables passwordless
authentication and MFA.
Keycloak authenticates user without password.
• Users do not need to remember complex passwords.
• Phishing can be prevented in Keycloak.
User
Signature verification fails
because challenges 3 and 4 are different.
Keycloak
Attacker
Authenticator
(smart phone)
1. challenge
2. signature for challenge
4. signature for challenge
3. challenge
Fingerprint authentication,
face authentication, etc.
→Something You Are (fingerprint)](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-21-320.jpg)
![25
© Hitachi, Ltd. 2023. All rights reserv ed.
Specificationfor authorization by access token. It is a
framework of authorization, but improperimplementation
oftenleads to vulnerabilities.
Financial-grade API (FAPI) 1.0 [1/4]
OAuth 2.0
OIDC 1.0
FAPI 1.0
Some secure usage of OAuth 2.0 is introduced and OIDC
1.0 can be used for authentication by ID token.
However, improperimplementationis still not restricted.
Secure usage of OAuth 2.0/OIDC1.0 is described across
the protocolflow, including usage of optional specificationof
OAuth 2.0 (e.g. PKCE) and lower layer protocol(SSL/TLS)
usage.
FAPI 1.0 is a high-level API security specification describing secure
usage of OAuth 2.0 and OpenID Connect (OIDC) 1.0.](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-26-320.jpg)
![26
© Hitachi, Ltd. 2023. All rights reserv ed.
Financial-grade API (FAPI) 1.0 [2/4]
OpenBanking using FAPI.
[UK : OpenBanking]
• OpenBanking Financial Grade API (FAPI) Profile
• OpenBanking CIBA Profile
[Australia : Consumer Data Right (CDR)]
• Consumer Data Right Security Profile
[Brazil : Open Banking Brasil]
• Open Banking/Finance Brasil Financial-grade API Security Profile
[Saudi Arabia : SAMA Open Banking]
• OpenBanking Financial Grade API (FAPI) Profile](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-27-320.jpg)
![27
© Hitachi, Ltd. 2023. All rights reserv ed.
Financial-grade API (FAPI) 1.0 [3/4]
Keycloak prevents attacks that cannot be prevented in OAuth 2.0.
• Users can use services securely.
6. API request w/ access token
xxx service
Client
7. API response
Tampering of authorization request
API request sent by the attacker is successful
when attackers steal access token
1. authorization request via browser
4. token request
Tampering of authorization response
3. authorization response via browser
5. token response
(including access token)
User
Keycloak
0. use
2. user authentication/authorization](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-28-320.jpg)
![28
© Hitachi, Ltd. 2023. All rights reserv ed.
Financial-grade API (FAPI) 1.0 [4/4]
Keycloak prevents attacks that cannot be prevented in OAuth 2.0.
• Users can use services securely.
Client can detect tampering
of authorization response
Keycloak can detect tampering
of authorization request
xxx service can reject API request
with stolen access token
User
6. API request w/ access token
xxx service
Keycloak
Client
0. use
7. API response
Authorization response with signature
Access token has information of the client certification
1. authorization request via browser
4. token request
Authorization request with signature
2. user authentication/authorization
3. authorization response via browser
5. token response
(including access token)](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-29-320.jpg)
![29
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [1/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
2. device authorization response w/ verification_uri and user code
User
Client
(smart TV)
URI: https://…
user code:xxx](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-30-320.jpg)
![30
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [2/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
2. device authorization response w/ verification_uri and user code
User
smart phone
Client
(smart TV)
URI: https://…
user code:xxx
3. input](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-31-320.jpg)
![31
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [3/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
3’. token request
2. device authorization response w/ verification_uri and user code
4’. token response
(not including access token)
User
smart phone
Client
(smart TV)
URI: https://…
user code:xxx
3. input](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-32-320.jpg)
![32
© Hitachi, Ltd. 2023. All rights reserv ed.
OAuth 2.0 Device Authorization Grant [4/4]
OAuth 2.0 device authorization grant is designed for IoT devices that
either lack a browser or are input constrained text.
Keycloak executes authorization even if clients don’t have browser.
• Users can use IoT device as clients.
xxx service
Keycloak
0. use
1. device authorization request
5. token request
2. device authorization response w/ verification_uri and user code
6. token response
(including access token)
User
smart phone
4. user and user code authentication/authorization
7. API request w/ access token
8. API response
Client
(smart TV)
URI: https://…
user code:xxx
3. input](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-33-320.jpg)
![33
© Hitachi, Ltd. 2023. All rights reserv ed.
Summary[1/2]
• Authentication and Authorization is important.
• Keycloak joined CNCF as an incubating project.
->Keycloak will be de-facto standard IAM product for CNCF
ecosystem.
• Authentication and Authorization for Cloud Native Applications with
Keycloak.
• Single Sign On (SSO)
• Social Login
• Multi-Factor Authentication (MFA)
• WebAuthn (Passwordless Authentication)
• Passkeys (Passwordless Authentication)
• OAuth 2.0
• Financial-grade API (FAPI) 1.0
• OAuth 2.0 Device Authorization Grant
Authentication Authorization](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-34-320.jpg)
![34
© Hitachi, Ltd. 2023. All rights reserv ed.
Summary[2/2]
• If you would like to know more about Keycloak, please see below.
• Official documentation
https://www.keycloak.org/documentation
• GitHub
https://github.com/keycloak/keycloak
• Book written by the Keycloak project leader
https://www.amazon.co.jp/Keycloak-Identity-Management-Applications-applications-
ebook/dp/B0BPY1RDND?language=en_US¤cy=USD](https://image.slidesharecdn.com/ossj2013-231215060829-cefadef3/85/Guide-of-authentication-and-authorization-for-cloud-native-applications-with-Keycloak-35-320.jpg)
Guide of authentication and authorization for cloud native applications with Keycloak
- 1. © Hitachi, Ltd. 2023. All rights reserv ed. Guide of authentication and authorization for cloud native applications with Keycloak Open Source Summit Japan 2023 Hitachi, Ltd. OSS Solution Center 12/05/2023 Michito Okai
- 2. 1 © Hitachi, Ltd. 2023. All rights reserv ed. About the speaker • Specialist in authentication and authorization ➢ Engaged in authentication and authorization technical support • Contributor of Keycloak which is Identity and Access Management (IAM) OSS ➢ OAuth 2.0 Device Authorization Grant [RFC8628] ➢ Performance improvement ➢ Security improvement for tokens • Other activities ➢ Writer of web articles about IAM (Japanese) Michito Okai ➢ Software Engineer ➢ Hitachi, Ltd. ➢ GitHub: @Michito-Okai
- 3. © Hitachi, Ltd. 2023. All rights reserv ed. 1. Importance of Authentication and Authorization 2. Introduction of Keycloak 3. Authentication for Cloud Native Applications with Keycloak Contents 2 4. Authorization for Cloud Native Applications with Keycloak
- 4. © Hitachi, Ltd. 2023. All rights reserv ed. Contents 3 1. Importance of Authentication and Authorization 2. Introduction of Keycloak 3. Authentication for Cloud Native Applications with Keycloak 4. Authorization for Cloud Native Applications with Keycloak
- 5. 4 © Hitachi, Ltd. 2023. All rights reserv ed. What is Authentication and Authorization Authorization is the process of verifying if user can access the requested API. ? Authenticated Authorized Authentication is the process of verifying the user (client) who (which) is requesting API. can access? ? API can access? ? API Michito Okai can access? ? API Michito Okai can access API Michito Okai
- 6. 5 © Hitachi, Ltd. 2023. All rights reserv ed. Security risks about “Authentication” and “Authorization” in OWASP Top 10. * OWASP Top 10 2021 https://owasp.org/Top10/ #7 Identificationand AuthenticationFailures Security risks about “Authentication” and “Authorization” in OWASP Top 10 API Security. * OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/ #2 BrokenAuthentication Security Risks about Authentication and Authorization in OWASP Top 10 and OWASP Top 10 API Security #1 BrokenAccess Control #1 BrokenObjectLevel Authorization #5 BrokenFunction Level Authorization #3 BrokenObjectProperty LevelAuthorization It is important to minimize security risks by implementing appropriate authentication and authorization.
- 7. © Hitachi, Ltd. 2023. All rights reserv ed. Contents 6 1. Importance of Authentication and Authorization 2. Introduction of Keycloak 3. Authentication for Cloud Native Applications with Keycloak 4. Authorization for Cloud Native Applications with Keycloak
- 8. 7 © Hitachi, Ltd. 2023. All rights reserv ed. Major features ⚫ Support standard specifications. ex. OAuth 2.0, OpenID Connect 1.0, SAML v2, … ⚫ Login with social media. ⚫ Connect to existing user stores. ex. LDAP, Active Directory, … What is Keycloak • Keycloak is Identity and Access Management (IAM) OSS. Supporting Standard Specifications Keycloak LDAP Active Directory RDB OpenID Connect 1.0 SAML v2 GitHub Twitter Facebook Identity Management Social Login OAuth 2.0
- 9. 8 © Hitachi, Ltd. 2023. All rights reserv ed. Keycloak for Cloud Native Environments Keycloak has two advantages for cloud native environments. 1. Easy deployment on Kubernetes 2. Suitable for container environments Keycloak changed based distribution from Wildfly to Quarkus. • Keycloak starting time has been fast from 13.5 second to 8.7 second* • Memory consumption of Keycloak at starting has been less from 407 MB to 234 MB* Quick scaling is possible There are two ways to deploy Keycloak on Kubernetes. ① Using docker image ② Using Keycloak operator * https://thinkit.co.jp/article/22308
- 10. 9 © Hitachi, Ltd. 2023. All rights reserv ed. Keycloak joined CNCF as incubating project In April 2023, Keycloak joined CNCF as an incubating project. Keycloak will be de-facto standard IAM products for CNCF ecosystem.
- 11. 10 © Hitachi, Ltd. 2023. All rights reserv ed. Minimization of Security Risks with Keycloak [1/3] There are two important things to implement authentication and authorization and to minimize security risks. • Support standard specifications recommended by best current practice (BCP) to protect from current attack methods • Continue to support specifications recommended by new BCP to protect from new evolved attack methods Keycloak satisfies the above two important things. Time BCP attack methods new attack methods new attack methods new BCP new BCP evolve evolve evolve evolve now
- 12. 11 © Hitachi, Ltd. 2023. All rights reserv ed. Minimization of Security Risks with Keycloak [2/3] Keycloak adheres the following standard specifications. * OAuth 2.0 Security Best Current Practice Draft 24. There are two important things to implement authentication and authorization and to minimize security risks. • Support standard specifications recommended by best current practice (BCP) to protect from current attack methods • Continue to support specifications recommended by new BCP to protect from new evolved attack methods OK Keycloak supports OAuth OIDC [OpenID Connect Core], [OpenID Connect Discovery], [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)] BCP* [RFC6749], [RFC6750], [RFC7636], [RFC9126], [OAuth 2.0 Form Post Response Mode] [RFC7009], [RFC7592], [RFC7662], [RFC8626], [RFC8705] [OpenID Connect Dynamic Registration], [Financial-grade API: Client Initiated Backchannel Authentication Profile]
- 13. 12 © Hitachi, Ltd. 2023. All rights reserv ed. Minimization of Security Risks with Keycloak [3/3] Keycloak is quick to support standard specifications. • Keycloak has OAuth SIG (Special Interest Group) which implements security standard specifications related to OAuth or OpenID Foundation. -> Specialists of OAuth SIG discuss implementing standard specifications once a month. • The number of author in GitHub for one year is 311*1 and Keycloak ranked in 7th in terms of the fastest-growing contributor counts*2. -> It is expected that the community including OAuth SIG will continue to be active. There are two important things to implement authentication and authorization and to minimize security risks. • Support standard specifications recommended by best current practice (BCP) to protect from current attack methods • Continue to support specifications recommended by new BCP to protect from new evolved attack methods OK *1 https://www.cncf.io/blog/2023/10/27/october-2023-where-we-are-with-velocity-of-cncf-lf-and-top-30-open-source-projects/ *2 https://octoverse.github.com/2022/state-of-open-source
- 14. © Hitachi, Ltd. 2023. All rights reserv ed. Contents 13 1. Importance of Authentication and Authorization 2. Introduction of Keycloak 3. Authentication for Cloud Native Applications with Keycloak 4. Authorization for Cloud Native Applications with Keycloak
- 15. 14 © Hitachi, Ltd. 2023. All rights reserv ed. Authentication for Cloud Native Applications The following functions are useful in terms of authentication for cloud native applications • Single Sign On (SSO) • Social Login • Multi-Factor Authentication (MFA) • WebAuthn (Passwordless Authentication) • Passkeys (Passwordless Authentication)
- 16. 15 © Hitachi, Ltd. 2023. All rights reserv ed. Single Sign On (SSO) Single Sign On (SSO) is a system that allows you to use multiple applications with one login. Keycloak enables SSO by cookie authentication. • Users do not have to input and manage username and password for each application Username: Password: Login Username: Password: Login Username: Password: Login User Username: Password: Login Cloud native application Cloud native application Cloud native application Cloud native application Cloud native application Cloud native application Keycloak User
- 17. 16 © Hitachi, Ltd. 2023. All rights reserv ed. Social Login Social Login is logging in services using account of social media. Keycloak allows users to use account of social media such as GitHub, Facebook, Twitter and Microsoft and so on. • Users do not have to input user information such as name, address, e-mail, telephone number and password and manage username and password. User Username: Password: Login Login with GitHub Login with Facebook Keycloak Facebook Username: Password: Login GitHub Username: Password: Login Cloud native application Cloud native application Cloud native application
- 18. 17 © Hitachi, Ltd. 2023. All rights reserv ed. Multi-Factor Authentication (MFA) [1/2] Multi-Factor Authentication (MFA) is authenticating by using two or more of the following three. • Something You Know (ex: password) • Something You Have (ex: authenticator) • Something You Are (ex: fingerprint) Keycloak authenticates using Something You Know and Something You Have. 0. Register authenticator Username: Password: Login User 1. Password authentication Keycloak One Time Password Submit 2. One time password authentication Something You Know (password) Something You Have (authenticator) Authenticator
- 19. 18 © Hitachi, Ltd. 2023. All rights reserv ed. Multi-Factor Authentication (MFA) [2/2] Keycloak prevents illegal authentication even if attacker succeeds in password authentication by an attack method such as dictionary attack, password list-based attack, brute-force attack and reverse brute-force attack. Attacker Keycloak Password authentication succeeds because attacker knows username and password. One time Password authentication fails because attacker does not have authenticator. 2. One time password authentication 1. Password authentication Username: Password: Login One Time Password Submit
- 20. 19 © Hitachi, Ltd. 2023. All rights reserv ed. WebAuthn (PasswordlessAuthentication) [1/2] WebAuthn is authentication technology which enables passwordless authentication and MFA. Keycloak authenticates user without password. • Users do not need to remember complex passwords. • Phishing can be prevented in Keycloak. User challenge Fingerprint authentication, face authentication, etc. →Something You Are (fingerprint) Verify the signature. → Something You Have (authenticator) Keycloak Authenticator (smart phone) signature for challenge Username: Password: Login
- 21. 20 © Hitachi, Ltd. 2023. All rights reserv ed. WebAuthn (PasswordlessAuthentication) [2/2] WebAuthn is authentication technology which enables passwordless authentication and MFA. Keycloak authenticates user without password. • Users do not need to remember complex passwords. • Phishing can be prevented in Keycloak. User Signature verification fails because challenges 3 and 4 are different. Keycloak Attacker Authenticator (smart phone) 1. challenge 2. signature for challenge 4. signature for challenge 3. challenge Fingerprint authentication, face authentication, etc. →Something You Are (fingerprint)
- 22. 21 © Hitachi, Ltd. 2023. All rights reserv ed. Passkeys (Passwordless Authentication) Passkeys is authentication technology which synchronizes credentials between multi authenticators by Cloud Platform. Keycloak authenticates user with multi authenticators. • Users can use smart phones and PCs as authenticator. User When users lost or replace smart phone, users can use PC or new smart phone as authenticator without re-registration. Keycloak Authenticator (smart phone) challenge signature for challenge Authenticator (PC) Cloud Platform ✓ Improve user experience
- 23. © Hitachi, Ltd. 2023. All rights reserv ed. Contents 22 1. Importance of Authentication and Authorization 2. Introduction of Keycloak 3. Authentication for Cloud Native Applications with Keycloak 4. Authorization for Cloud Native Applications with Keycloak
- 24. 23 © Hitachi, Ltd. 2023. All rights reserv ed. Authorization for Cloud Native Applications To support the following standard specifications is useful in terms of authorization for cloud native applications. • OAuth 2.0 • Financial-grade API (FAPI) 1.0 • OAuth 2.0 Device Authorization Grant
- 25. 24 © Hitachi, Ltd. 2023. All rights reserv ed. OAuth 2.0 OAuth 2.0 is de-facto standard about issue of token which is essential for authorization. Keycloak issues tokens in compliance with OAuth 2.0. User 6. API request w/ access token xxx service Keycloak Client 0. use 7. API response 2. user authentication/authorization 1. authorization request via browser 4. token request 3. authorization response via browser 5. token response (including access token) There are attacks that cannot be prevented in OAuth 2.0.
- 26. 25 © Hitachi, Ltd. 2023. All rights reserv ed. Specificationfor authorization by access token. It is a framework of authorization, but improperimplementation oftenleads to vulnerabilities. Financial-grade API (FAPI) 1.0 [1/4] OAuth 2.0 OIDC 1.0 FAPI 1.0 Some secure usage of OAuth 2.0 is introduced and OIDC 1.0 can be used for authentication by ID token. However, improperimplementationis still not restricted. Secure usage of OAuth 2.0/OIDC1.0 is described across the protocolflow, including usage of optional specificationof OAuth 2.0 (e.g. PKCE) and lower layer protocol(SSL/TLS) usage. FAPI 1.0 is a high-level API security specification describing secure usage of OAuth 2.0 and OpenID Connect (OIDC) 1.0.
- 27. 26 © Hitachi, Ltd. 2023. All rights reserv ed. Financial-grade API (FAPI) 1.0 [2/4] OpenBanking using FAPI. [UK : OpenBanking] • OpenBanking Financial Grade API (FAPI) Profile • OpenBanking CIBA Profile [Australia : Consumer Data Right (CDR)] • Consumer Data Right Security Profile [Brazil : Open Banking Brasil] • Open Banking/Finance Brasil Financial-grade API Security Profile [Saudi Arabia : SAMA Open Banking] • OpenBanking Financial Grade API (FAPI) Profile
- 28. 27 © Hitachi, Ltd. 2023. All rights reserv ed. Financial-grade API (FAPI) 1.0 [3/4] Keycloak prevents attacks that cannot be prevented in OAuth 2.0. • Users can use services securely. 6. API request w/ access token xxx service Client 7. API response Tampering of authorization request API request sent by the attacker is successful when attackers steal access token 1. authorization request via browser 4. token request Tampering of authorization response 3. authorization response via browser 5. token response (including access token) User Keycloak 0. use 2. user authentication/authorization
- 29. 28 © Hitachi, Ltd. 2023. All rights reserv ed. Financial-grade API (FAPI) 1.0 [4/4] Keycloak prevents attacks that cannot be prevented in OAuth 2.0. • Users can use services securely. Client can detect tampering of authorization response Keycloak can detect tampering of authorization request xxx service can reject API request with stolen access token User 6. API request w/ access token xxx service Keycloak Client 0. use 7. API response Authorization response with signature Access token has information of the client certification 1. authorization request via browser 4. token request Authorization request with signature 2. user authentication/authorization 3. authorization response via browser 5. token response (including access token)
- 30. 29 © Hitachi, Ltd. 2023. All rights reserv ed. OAuth 2.0 Device Authorization Grant [1/4] OAuth 2.0 device authorization grant is designed for IoT devices that either lack a browser or are input constrained text. Keycloak executes authorization even if clients don’t have browser. • Users can use IoT device as clients. xxx service Keycloak 0. use 1. device authorization request 2. device authorization response w/ verification_uri and user code User Client (smart TV) URI: https://… user code:xxx
- 31. 30 © Hitachi, Ltd. 2023. All rights reserv ed. OAuth 2.0 Device Authorization Grant [2/4] OAuth 2.0 device authorization grant is designed for IoT devices that either lack a browser or are input constrained text. Keycloak executes authorization even if clients don’t have browser. • Users can use IoT device as clients. xxx service Keycloak 0. use 1. device authorization request 2. device authorization response w/ verification_uri and user code User smart phone Client (smart TV) URI: https://… user code:xxx 3. input
- 32. 31 © Hitachi, Ltd. 2023. All rights reserv ed. OAuth 2.0 Device Authorization Grant [3/4] OAuth 2.0 device authorization grant is designed for IoT devices that either lack a browser or are input constrained text. Keycloak executes authorization even if clients don’t have browser. • Users can use IoT device as clients. xxx service Keycloak 0. use 1. device authorization request 3’. token request 2. device authorization response w/ verification_uri and user code 4’. token response (not including access token) User smart phone Client (smart TV) URI: https://… user code:xxx 3. input
- 33. 32 © Hitachi, Ltd. 2023. All rights reserv ed. OAuth 2.0 Device Authorization Grant [4/4] OAuth 2.0 device authorization grant is designed for IoT devices that either lack a browser or are input constrained text. Keycloak executes authorization even if clients don’t have browser. • Users can use IoT device as clients. xxx service Keycloak 0. use 1. device authorization request 5. token request 2. device authorization response w/ verification_uri and user code 6. token response (including access token) User smart phone 4. user and user code authentication/authorization 7. API request w/ access token 8. API response Client (smart TV) URI: https://… user code:xxx 3. input
- 34. 33 © Hitachi, Ltd. 2023. All rights reserv ed. Summary[1/2] • Authentication and Authorization is important. • Keycloak joined CNCF as an incubating project. ->Keycloak will be de-facto standard IAM product for CNCF ecosystem. • Authentication and Authorization for Cloud Native Applications with Keycloak. • Single Sign On (SSO) • Social Login • Multi-Factor Authentication (MFA) • WebAuthn (Passwordless Authentication) • Passkeys (Passwordless Authentication) • OAuth 2.0 • Financial-grade API (FAPI) 1.0 • OAuth 2.0 Device Authorization Grant Authentication Authorization
- 35. 34 © Hitachi, Ltd. 2023. All rights reserv ed. Summary[2/2] • If you would like to know more about Keycloak, please see below. • Official documentation https://www.keycloak.org/documentation • GitHub https://github.com/keycloak/keycloak • Book written by the Keycloak project leader https://www.amazon.co.jp/Keycloak-Identity-Management-Applications-applications- ebook/dp/B0BPY1RDND?language=en_US¤cy=USD
- 36. 35 © Hitachi, Ltd. 2023. All rights reserv ed. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademarkof GitHub, Inc. in the United States and other countries. • Facebookis a trademark or registered trademark of Meta Platforms,Inc. in the United States and other countries. • Twitter is a trademark or registeredtrademark of X Corp.in the United States and other countries. • Microsoftis a trademark of the Microsoftgroup of companies. • Other brand names and product names used in this material are trademarks, registeredtrademarks, or trade names of their respective holders.
- 37. © Hitachi, Ltd. 2023. All rights reserv ed. Michito Okai 12/05/2023 Hitachi, Ltd. OSS Solution Center END Guide of authentication and authorization for cloud native applications with Keycloak 36