Keycloak - Identity and Access Management for Modern Applications [1] 9781800562493

Table of contents :
Cover
Title page
Copyright and Credits
Contributors
About the authors
About the reviewers
Table of Contents
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
Section 1: Getting Started with Keycloak
Chapter 1: Getting Started with Keycloak
Technical requirements
Introducing Keycloak
Installing and running Keycloak
Running Keycloak on Docker
Installing and running Keycloak with OpenJDK
Discovering the Keycloak admin and account consoles
Getting started with the Keycloak admin console
Getting started with the Keycloak account console
Summary
Questions
Chapter 2: Securing Your First Application
Technical requirements
Understanding the sample application
Running the application
Understanding how to log in to the application
Securely invoking the backend REST API
Summary
Questions
Section 2: Securing Applications with Keycloak
Chapter 3: Brief Introduction to Standards
Authorizing application access with OAuth 2.0
Authenticating users with OpenID Connect
Leveraging JWT for tokens
Understanding why SAML 2.0 is still relevant
Summary
Questions
Chapter 4: Authenticating Users with OpenID Connect
Technical requirements
Running the OpenID Connect playground
Understanding the Discovery endpoint
Authenticating a user
Understanding the ID token
Updating the user profile
Adding a custom property
Adding roles to the ID token
Invoking the UserInfo endpoint
Dealing with users logging out
Initiating the logout
Leveraging ID and access token expiration
Leveraging OIDC Session Management
Leveraging OIDC Back-Channel Logout
A note on OIDC Front-Channel Logout
How should you deal with logout?
Summary
Questions
Further reading
Chapter 5: Authorizing Access with OAuth 2.0
Technical requirements
Running the OAuth 2.0 playground
Obtaining an access token
Requiring user consent
Limiting the access granted to access tokens
Using the audience to limit token access
Using roles to limit token access
Using the scope to limit token access
Validating access tokens
Summary
Questions
Further reading
Chapter 6: Securing Different Application Types
Technical requirements
Understanding internal and external applications
Securing web applications
Securing server-side web applications
Securing a SPA with a dedicated REST API
Securing a SPA with an intermediary REST API
Securing a SPA with an external REST API
Securing native and mobile applications
Securing REST APIs and services
Summary
Questions
Further reading
Chapter 7: Integrating Applications with Keycloak
Technical requirements
Choosing an integration architecture
Choosing an integration option
Integrating with Golang applications
Configuring a Golang client
Integrating with Java applications
Using Quarkus
Using Spring Boot
Using Keycloak adapters
Integrating with JavaScript applications
Integrating with Node.js applications
Creating a Node.js resource server
Integrating with Python applications
Creating a Python client
Creating a Python resource server
Using a reverse proxy
Try not to implement your own integration
Summary
Questions
Further reading
Chapter 8: Authorization Strategies
Understanding authorization
Using RBAC
Using GBAC
Mapping group membership into tokens
Using OAuth2 scopes
Using ABAC
Using Keycloak as a centralized authorization server
Summary
Questions
Further reading
Section 3: Configuring and Managing Keycloak
Chapter 9: Configuring Keycloak for Production
Technical requirements
Setting the hostname for Keycloak
Setting the frontend URL
Setting the backend URL
Setting the admin URL
Enabling TLS
Configuring a database
Enabling clustering
Configuring a reverse proxy
Distributing the load across nodes
Forwarding client information
Keeping session affinity
Testing your environment
Testing load balancing and failover
Testing the frontend and backchannel URLs
Summary
Questions
Further reading
Chapter 10: Managing Users
Technical requirements
Managing local users
Creating a local user
Managing user credentials
Obtaining and validating user information
Enabling self-registration
Managing user attributes
Integrating with LDAP and Active Directory
Understanding LDAP mappers
Synchronizing groups
Synchronizing roles
Integrating with third-party identity providers
Creating a OpenID Connect identity provider
Integrating with social identity providers
Allowing users to manage their data
Summary
Questions
Further reading
Chapter 11: Authenticating Users
Technical requirements
Understanding authentication flows
Configuring an authentication flow
Using passwords
Changing password policies
Resetting user passwords
Using OTPs
Changing OTP policies
Allowing users to choose whether they want to use OTP
Forcing users to authenticate using OTP
Using Web Authentication (WebAuthn)
Enabling WebAuthn for an authentication flow
Registering a security device and authenticating
Using strong authentication
Summary
Questions
Further reading
Chapter 12: Managing Tokens and Sessions
Technical requirements
Managing sessions
Managing session lifetimes
Managing active sessions
Expiring user sessions prematurely
Understanding cookies and their relation to sessions
Managing tokens
Managing ID tokens' and access tokens' lifetimes
Managing refresh tokens' lifetimes
Enabling refreshing token rotation
Revoking tokens
Summary
Questions
Further reading
Chapter 13: Extending Keycloak
Technical requirements
Understanding Service Provider Interfaces
Packaging a custom provider
Installing a custom provider
Understanding the KeycloakSessionFactory and KeycloakSession components
Understanding the life cycle of a provider
Configuring providers
Changing the look and feel
Understanding themes
Creating and deploying a new theme
Extending templates
Extending theme-related SPIs
Customizing authentication flows
Looking at other customization points
Summary
Questions
Further reading
Section 4: Security Considerations
Chapter 14: Securing Keycloak and Applications
Securing Keycloak
Encrypting communication to Keycloak
Configuring the Keycloak hostname
Rotating the signing keys used by Keycloak
Regularly updating Keycloak
Loading secrets into Keycloak from an external vault
Protecting Keycloak with a firewall and an intrusion prevention system
Securing the database
Protecting the database with a firewall
Enabling authentication and access control for the database
Encrypting the database
Securing cluster communication
Enabling cluster authentication
Encrypting cluster communication
Securing user accounts
Securing applications
Web application security
OAuth 2.0 and OpenID Connect best practice
Keycloak client configurations
Summary
Questions
Further reading
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Leave a review - let other readers know what you think
Index