What’s new in Keycloak, the open source IAM?

Transcript

1. What’s new in Keycloak? Alexander Schwartz | Principal Software Engineer

   | Red Hat heise devSec | 2024-09-26

2. What is Identity and Access Management (IAM), and do I

   need one?

3. Authenticate, authorize and manage users for services Request < Token

   > API Cloud Services • Manage users, credentials, permissions, ... • Handle user registration, password reset, … • Integrate to existing security infrastructure

4. Keycloak is an Open Source Identity and Access Management Solution

   Initial commit 2013-07-02 Cloud Native Computing Foundation Incubating project since April 2023 Apache License, Version 2.0 22k GitHub stars

5. • OpenID Connect Protocol Implementation for the server • Services

   and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning

6. How it grew

7. A Keycloak Journey Day 0: Getting started as a developer

   Day 1: Single-Sign-On is cool! Day 2: Become flexible in your setup Day 3: Eliminate daily churn

8. Day 0: Getting started as a developer • Run a

   single container (inside or outside Kubernetes) or extract an archive • Works with Testcontainers • Configure using CLI, API, Web UI or export/import a realm using JSON for identical environments Makes sense already for a single application!

9. Running Keycloak as a developer docker run --name keycloak -p

   8080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=change_me \ quay.io/keycloak/keycloak:latest \ start-dev docker run --name keycloak_w_import -p 8080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=change_me \ -v /path/to/realm/data:/opt/keycloak/data/import \ quay.io/keycloak/keycloak:latest \ start-dev --import-realm

10. Starting Keycloak, Quarkus Edition start-dev start build start --optimized Development

    Simple Deployment Prepare Deployment Performant Deployment • Medium Performance • Not secure/ no TLS • TLS Certificates required • Slow start • Good run-time performance • Build configuration known (database, features, …) • TLS Certificates required • Fast start • Good run-time performance

11. Day 1: Single-Sign-On is cool! • Users need to remember

    only one password • Authenticate only once per day • Add second factor for authentication for security • Theme the frontend to match your needs Makes sense already for a single application!

12. Make first contact with Keycloak

13. Enable Admins Manage Keycloak via web UI, REST and CLI

14. Enable Users Manage account details, password and second factor.

15. Day 2: Become flexible in your setup • Integrate LDAP

    and Kerberos • Brokerage to existing SAML services • Brokerage to existing OIDC services • Integrate existing custom stores • SCIM integration Reuse the existing user infrastructure!

16. Skip the form with Kerberos/SNPEGO! This page intentionally left blank.

17. … and use other providers …

18. From the Server developer guide: • Customize the theme •

    Configure login flows • Add new required actions • Create event listener • Supply mappers for federations • Connect any custom user storage Customize to your needs

19. Day 3: Eliminate daily churn • User required actions •

    User password recovery (even when using LDAP) • Self-registration for users • User data self-management Resolve the need for calls and tickets!

20. The login screen can do a lot more!

21. Powerful required actions in the login flow • Configure One

    Time Passwords • WebAuthn Register • Terms and Conditions • Update Password • Update Profile • Verify Email • … … or build your own! …

22. A Keycloak Journey Day 0: Getting started as a developer

    Day 1: Single-Sign-On is cool! Day 2: Become flexible in your setup Day 3: Eliminate daily churn

23. Keycloak is an Open Source Identity and Access Management Solution

    • Authenticate and authorize users and services • Configure interactively or fully automated • Bridge to existing security infrastructures • Extend and customize as needed • Run and scale in cloud and non-cloud environments

24. Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus:

    new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22.

25. Highlights Keycloak 24 • Passkey support evolving • Load Shedding

    and Non-Blocking Probes • Multi-site support with blueprints • Sizing Guide • Quarkus 3.8 • User Profile • Simplified truststore handling • Extending the Admin UI via SPI (experimental)

26. Loadshedding Well-behaving even when the system receives more requests than

    it can handle.

27. Loadshedding Well-behaving even when the system receives more requests than

    it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* * needs to be configured via http-max-queued-requests

28. Loadshedding Well-behaving even when the system receives more requests than

    it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* Liveness probe Timeout, Pod restarted by Kubernetes Non-Blocking, Pod survives * needs to be configured via http-max-queued-requests

29. • Synchronous database and and Infinispan to avoid data loss

    • Low-latency network between sites to avoid long response times • Active-passive to avoid potential deadlocks in Infinispan Multi-Site support

30. Improvements not only for multi-site setups: • Sizing Guide (memory,

    CPU, threads) • Simplified configuration for a typical external Infinispan setup • Automated load and failure tests • Protection against cache stampedes • AWS Aurora PostgreSQL Multi AZ support • Infinispan and JGroups hardening Multi-Site support

31. Declarative User Profile configuration

32. User Profile for admins, registration, and users

33. Highlights Keycloak 25 • Argon2 password hashing • Simplified hostname

    configuration • Persistent user sessions (preview) • Passkeys improvements (preview) • Separate management port for health and metrics • Organizations (preview) • OpenJDK 21

34. Organisations

35. Highlights Keycloak 26* • Infinispan marshalling changed to ProtoStream •

    Quarkus 3.15.x • Persistent User Sessions (by default) • Keycloak multi-site setup in Active/Active mode • Keycloak Admin user recovery • OpenTelemetry tracing support (preview) • Removal of legacy cookies • Organizations (supported and by default) * Subject to change

36. Admin user recovery • Use CLI arguments of environment variables

    to create a temporary admin user or service account. • Use it to create the initial admin user, or to regain access to the existing admin user.

37. OpenTelemetry Tracing

38. Community News • Adaptive Authentication Proof-of-Concept • BundID extension •

    Keycloak OAuth Special Interest Group • Keycloak SRE Special Interest Group

39. Adaptive Authentication Proof-of-Concept • Decide on second factors or deny

    access based on context information • Extend it using your custom decision engines and rules • Allow for risk-based authentication • Manage different sources and policies using the Keycloak Admin UI Presented at KeyConf 2024. Video and slides available on https://keyconf.dev/, source code available at https://github.com/mabartos/keycloak-adaptive-authn

40. Adaptive Authentication Proof-of-Concept

41. Adaptive Authentication Proof-of-Concept

42. BundID Extension Two community extensions exist to integrate with BundID

    • https://github.com/opdt/keycloak-extension-bundid • https://gitlab.opencode.de/opendva/bundid-plugin-for-keycloak

43. Conferences & Events KubeCon North America Salt Lake City (US)

    2024-11-12…15 https://events.linuxfoundation.org/ KeyConf24 Vienna (AT) & Online 2024-09-19 https://keyconf.dev/ Keycloak DevDay Darmstadt (DE) 2025-03-06 https://keycloak-day.dev/ Meetup Keycloak Hour of Code Online Every 1-2 months https://www.meetup.com/ keycloak-hour-of-code/

44. Community Links CNCF Slack #keycloak #keycloak-dev https://slack.cncf.io/ Keycloak https://keycloak.org/ Keycloak

    Community Discourse Forum GitHub Discussion Mailing Lists https://www.keycloak.org/community Keycloak OAuth SIG #keycloak-oauth-sig https://github.com/keycloak/kc-sig-fapi Keycloak SRE SIG #keycloak-sre-sig https://github.com/keycloak/keycloak-sre-sig/

45. • Keycloak https://www.keycloak.org/ • Keycloak Nightly Release https://github.com/keycloak/keycloak/releases/tag/nightly • Keycloak

    Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 • Keycloak High Availability https://www.keycloak.org/high-availability/introduction • Keycloak Benchmark https://www.keycloak.org/keycloak-benchmark/ • Extend Admin UI via SPI https://github.com/keycloak/keycloak-quickstarts/tree/main/extension/extend-admin-console- spi • Keycloak Hour of Code https://www.meetup.com/keycloak-hour-of-code/ Links Slides:

46. Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1de @[email protected]