Authenticate and authorize users “your way” when they access applications and platforms

Transcript

1. Authenticate and authorize users “your way” when they access applications

   and platforms Alexander Schwartz, Principal Software Engineer @ Red Hat Voxxed Days | Zurich, CH | 2025-03-25

2. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz 2 Authenticate and authorize users “your way” Motivation 1 Practical authentication by example 2 The other things you will also need 3 Standards everywhere! 4

3. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz 3 Authenticate and authorize users “your way” Motivation 1 Practical authentication by example 2 The other things you will also need 3 Standards everywhere! 4

4. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz 4 Authentication is answering the question “Who are you?” Motivation • You want users to log in … … but it starts earlier as you want to know if they are already logged in • You have seen the diagram of the Authentication Code Flow … … but how to I put it to use? • How to benefit of the features in Keycloak … with spending a minimal of work? https://quarkus.io/guides/security-oidc-code-flow-authentication

5. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz 5 Know the things it can do! Motivation Still logged in? Requesting scopes Incremental profiling Manage account Enforce 2nd factor Already logged in? Re-authenticate Register Login Change Password Forgot password Validate email

6. Authenticate and authorize users “your way” CC BY-NC-SA 4.0 |

   March 2025 | Authenticate and authorize users “your way” | Alexander Schwartz 6 Motivation 1 Practical authentication by example 2 The other things you will also need 3 Standards everywhere! 4

7. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz 7 The actors in this play Practical authentication by example End user • Has Credentials • Operates a web browser OpenID Provider (OP) aka Identity Provider • Shows the login screen • Validate credentials • Issue and validate tokens Relying Party (RP) aka Client application • Shows a web application • Interact with an OpenID Provider and other Relying Parties • Want a user to authenticate

8. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz Practical authentication by example Initial commit 2013-07-02 Cloud Native Computing Foundation Incubating project since April 2023 Apache License, Version 2.0 26k GitHub stars 8 Keycloak is an Open Source Identity and Access Management Solution

9. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

   users “your way” | Alexander Schwartz 9 Know your OpenID Provider Practical authentication by example GET issuer + "/.well-known/openid-configuration" { "issuer": "http://localhost:8080/realms/test", "authorization_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/auth", "token_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/token", "introspection_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/token/introspect", "userinfo_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/userinfo", "end_session_endpoint": "http://localhost:8080/realms/test/protocol/openid-connect/logout", "frontchannel_logout_session_supported": true, "frontchannel_logout_supported": true, "jwks_uri": "http://localhost:8080/realms/test/protocol/openid-connect/certs", "check_session_iframe": "http://localhost:8080/realms/test/protocol/openid-connect/login-status-iframe.htm "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password",

10. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 10 Is the user already logged in? Practical authentication by example REDIRECT TO authorization_endpoint + "?redirect_uri=...&prompt=none..." GET ON redirect_uri "?error=login_required..."

11. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 11 Register as a new user! Practical authentication by example REDIRECT TO authorization_endpoint + "?redirect_uri=...&prompt=create..." (continue with a regular login) https://openid.net/specs/openid-connect-prompt-create-1_0.html https://openid.net/specs/openid-connect-prompt-create-1_0.html

12. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 12 Log in the user! Practical authentication by example REDIRECT TO authorization_endpoint + "?redirect_uri=...&prompt=login..." GET ON redirect_uri "?...session_state=...code=..." POST code and other parameters to token_endpoint RESPONSE with ID token, access token, refresh token, ...

13. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 13 Is the user still logged in? Practical authentication by example IFRAME with check_session_iframe + session_state + JavaScript sendMessage() JavaScript receiveMessage() with information if session_state is valid https://openid.net/specs/openid-connect-session-1_0.html https://openid.net/specs/openid-connect-session-1_0.html

14. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 14 Refresh the access token! Practical authentication by example POST refresh_token to token endpoint RESPONSE with ID token, access token, refresh token, ...

15. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 15 Get some information about the user Practical authentication by example GET userinfo_endpoint with access token as “Authorization: Bearer ...” header RESPONSE with user information as JSON

16. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 16 Log out user from all applications Practical authentication by example GET end_session_endpoint + "post_logout_redirect_uri=...&id_token_hint=...&client_id=..." REDIRECT to post_logout_redirect_uri https://openid.net/specs/openid-connect-rpinitiated-1_0.html https://openid.net/specs/openid-connect-rpinitiated-1_0.html

17. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 17 Authenticate and authorize users “your way” Motivation 1 Practical authentication by example 2 The other things you will also need 3 Standards everywhere! 4

18. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 18 Enforce second factor authentication Practical authentication by example REDIRECT TO authorization_endpoint + "?...acr_values=2..." (continue as with a login) Configure a new flow in Keycloak https://www.keycloak.org/docs/latest/server_admin/#_step-up-flow https://www.keycloak.org/docs/latest/server_admin/#_step-up-flow Afterwards, check if the acr is set in the ID token!

19. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 19 Let users manage their data and credentials in Keycloak’s account console Practical authentication by example (the user will eventually return) REDIRECT TO .../account?referrer=...&referrer_uri=...

20. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 20 Update password, add Passkeys or other IDM tasks (Keycloak custom) Practical authentication by example REDIRECT TO authorization_endpoint + "?kc_action=UPDATE_PROFILE..." https://www.keycloak.org/docs/latest/server_admin/#con-aia_server_administration_guide https://www.keycloak.org/docs/latest/server_admin/#con-aia_server_administration_guide REDIRECT TO authorization_endpoint + "?kc_action=UPDATE_PASSWORD..." REDIRECT TO authorization_endpoint + "?kc_action=delete_account..." REDIRECT TO authorization_endpoint + "?kc_action=CONFIGURE_TOTP..." REDIRECT TO authorization_endpoint + "?kc_action=webauthn-register..." REDIRECT TO authorization_endpoint + "?kc_action=webauthn-register-passwordless..."

21. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 21 Verify email (new in Keycloak 26.2) Practical authentication by example REDIRECT TO authorization_endpoint + "?kc_action=VERIFY_EMAIL..." https://www.keycloak.org/docs/latest/server_admin/#con-aia_server_administration_guide https://www.keycloak.org/docs/latest/server_admin/#con-aia_server_administration_guide

22. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 22 Use scopes to acquire additional data Practical authentication by example REDIRECT TO authorization_endpoint + &scope=openid+email+address... Manage the user profile and make fields profile specific and required

23. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 23 Restrict user authorization on clients Practical authentication by example https://github.com/sventorben/keycloak-restrict-client-auth https://github.com/sventorben/keycloak-restrict-client-auth • Add “restrict client auth” community extension to Keycloak • Customize the login flow • Use client roles (simple) or policies (more advanced and powerful) to restrict access to applications Find more extensions here: keycloak.org/extensions

24. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 24 Authenticate and authorize users “your way” Motivation 1 Practical authentication by example 2 The other things you will also need 3 Standards everywhere! 4

25. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 25 Standards everywhere! https://www.keycloak.org https://www.keycloak.org • A lot of authentication and user management functionality is just a redirect away. • Use an OpenID Connect library to do the heavy lifting. • Read the standards especially around “prompt”, and leverage modular Keycloak functionality using “kc_action”. • Use scopes to incrementally acquire user data. • Try out Keycloak’s preview features and provide feedback, so they can mature and be eventually supported.

26. Keycloak https://www.keycloak.org https://www.keycloak.org/server/features OpenID Connect Core https://openid.net/specs/openid-connect-core-1_0.html Demo Code https://github.com/ahus1/authentication-demo

    JavaScript library used in the demo https://github.com/panva/openid-client Links CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize users “your way” | Alexander Schwartz 26 @ahus1.de @ahus1.de @[email protected] @[email protected] Slides:

27. Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1.de @[email protected]

    CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize users “your way” | Alexander Schwartz 27

28. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 28 Reauthenticate when the user is already logged in Practical authentication by example REDIRECT TO authorization_endpoint + "?redirect_uri=...&prompt=login..." (continue as with a login)

29. CC BY-NC-SA 4.0 | March 2025 | Authenticate and authorize

    users “your way” | Alexander Schwartz 29 Pushed Autorization Request for the PARanoid! Practical authentication by example POST redirect_uri, prompt and other information to the pushed_authorization_request_endpoint RECEIVE a request_uri (continue as before) REDIRECT TO authorization_endpoint + "?request_uri..."