k8s-istio-sso-keycloak(iam)

Authentication is the process of verifying identity. Authorization is the process of giving the user permission to access a specific resource or function. Three popular identity protocols, namely, OAuth Open Authorization 2.0 (OAuth 2.0), OpenID Connect (OIDC), and Security Assertion Markup Language 2.0 (SAML).

OAuth 2.0: Open Authorization allows access to a website or application on behalf of a user. It is the facto industry standard for online authorization. OpenID is used for authentication while OAuth is used for authorization. OpenID Connect provides great support for native mobile applications running on iOS and Android. OpenID and OAuth are both HTTP-based protocols and they are both used for authentication and authorization respectively. Keycloak is an open-source identity and access management solution for our services and applications. The main objective of Keycloak is to protect specific services and applications with little or no code. This is great because developers can focus on business functionality instead of worrying about security aspects like authorization and authentication.

Keycloak centralizes authentication, enables single sign-on (SSO) authentication, and allows two-factor authentication(MFA). It is LDAP compliant. It offers several adapters to secure applications and servers easily. It lets you customize password policies. There are some terms that we need to clarify. A realm is a concept that Keycloak uses to refer to an object that manages a set of users, credentials, roles, and groups. Realms can be different projects that are not related to each other. Clients in Keycloak are entities that can request user authentication. The clients are often the applications or services that we want to secure. Different apps or services in a project.

To run Keycloak make sure that Docker is installed then run the code below to install Keycloak version 20.0.2. Create a realm or use master. After that create a client and users with roles.

docker run -d -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.2 start-dev

It is easy to create realms and clients so I omit some steps. Instead, here we will focus on some critical steps.

Creating Client&User

Valid Redirect URI: Keycloak only redirects the user to a URL that matches a valid redirect URI. In our case, since the value is set to http://localhost:3000/*, an application hosted on http://hacker.com would not be able to authenticate.
Web Origins: This option registers the valid web origins for the application for Cross-Origin Resource Sharing (CORS) requests.

ID Token: This provides the application information available to the authenticated user.
Access token: The application includes this token when requesting a service, which allows the service to verify whether the request should be permitted.
Refresh Token: Both the ID and the access token have short expirations, by default, 5 minutes. The refresh token is used by the application to obtain new tokens.

We will use postman to get our token.

Getting an Access Token from Keycloak with Postman

Use postman and get the token from Keycloak. Now to examine the token we can copy and paste the access token to jwt.io.

jwt.io output

Realm Roles are like namespaces. Client roles are namespaces dedicated to clients. Composite roles can hold both. And can be used for applications and services.

Audience: Allows listing the resource providers that should accept an access token. In our example, myclient and anotherclient are placed in myrealm.

Audience & Scope

Client Scope: In Keycloak, scopes are created through client scopes, and an application can only have access to a specific list of scopes. It is a way to provide limited access to protected resources. For example, the user wants to give access to her mail address but not her age or phone number.

Keycloak Themes: Keycloak provides theme support for web pages and emails. This allows customizing the look and feel of end-user-facing pages so they can be integrated with your applications.
https://www.keycloak.org/docs/latest/server_development/index.html

Keycloak enables you to protect applications running on different platforms and using different technology stacks using OpenID Connect and SAML protocols.

Keycloak client adapters are libraries that make it very easy to secure applications and services with Keycloak. C#, Java,Servlets, Javascript, Nodejs, Android, IOS. https://www.keycloak.org/docs/latest/securing_apps/index.html

Keycloak Java Realm&Client creation

We can use keycloak.json embedded inside the code. The secrets are kept via vault and here both user and admin roles can access url resource1 but only our user roles can access url resource2.

keycloak.json is our configuration file. It is important when we use client adapters to access our Keycloak.

Access to protected resources from the postman

We can integrate third-party identity providers by using Keycloak as an identity broker.

Adding Identity Providers to Keycloak

Single Sign On (SSO) with Keycloak

We can also integrate it with Facebook and Google.

curl - location - request POST 'https://localhost:8080/realms/myrealm/protocol/openid-connect/token' \
 - header 'Content-Type: application/x-www-form-urlencoded' \
 - data-urlencode 'grant_type=password' \
 - data-urlencode 'username=veli' \
 - data-urlencode 'password=veli' \
 - data-urlencode 'client_id=myclient' \
 - data-urlencode 'client_secret=rF33ecgZtakCSnuxOxU2Rza4kL0O3r3N'

JWT & Istio Security with Keycloak

Another important subject about Keycloak is integrating it with Istio service mesh. Whether you develop a monolith or microservice application the developers will focus on business functionality instead of worrying about authorization and authentication issues. So with the help of tokens, we will be able to secure our services with Keycloak and Istio service mesh integration.

istioctl install --set profile=demo -y
kubectl label namespace default istio-injection=enabled 
kubectl apply -f keycloak.yaml

If Docker Desktop is installed on your system enable Kubernetes and install istio.

As you can see an ordinary page, without any security restrictions, can now be accessed by an access token. Thanks to Istio.

Accessing our app from internal ip

Accessing Bearer Token from Postman

Requesting our app from ingress gateway (localhost)

We have created a service account a gateway and a RequestAuthentication. You can access them from GitLab. Be careful if you get the error “Jwks doesn’t have the key to match kid or alg from Jwt site”. As we are using Docker Desktop we have to change jwksUri address as follows.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: ingress-jwt
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "http://localhost:8080/realms/master"
    jwksUri: "http://10.103.25.170:8080/realms/master/protocol/openid-connect/certs"
    # use keycloak cluster ip for localhost keycloak on docker desktop

Keycloak User Federation

User Federation is integrating Keycloak with external identity stores such as LDAP or Active Directory. To store and manage users we can also create Custom Providers with Keycloak. To integrate different users we can add custom plugins to Keycloak. We can get data from RDMS easily and we can create endpoints for databases.

Creating User Federation Custom Provider

Here we created a custom plugin MyCustomDatabasePlugin. We can get the user data from databases by giving the right credentials. The user data will be imported to our Keycloak realm. This is a great solution if you want to control your users from a single point.

Accessing our user database

Thanks for reading.