Introduction
Aiming at contemporary applications and services, Keycloak is an open-source Identity and Access Management solution. It simplifies protecting services and apps with minimal or no code. It makes it easy to secure applications and services with little to no code. This case study will explore how Keycloak can be used to address various business problems related to identity, authentication, and authorization.
Use Case #1: Azure AD Integration with Internal Corporate Applications using OIDC
Keycloak supports integration with Azure Active Directory (AD) using the OpenID Connect (OIDC) protocol. This allows internal corporate users to authenticate using their existing Azure AD credentials.
Problem Statement
Many organizations use Azure AD as their primary identity provider. Integrating Azure AD with internal applications can be a complex task, requiring significant development effort and ongoing maintenance.
Solution
Keycloak simplifies this process by providing out-of-the-box integration with Azure AD. This allows organizations to leverage their existing Azure AD user base for authentication, reducing the need for additional account management.
Azure AD configuration
- Create an Azure AD tenant and register an application in Azure AD by providing information about the application, such as its name, redirect URIs(Keycloak redirect uri obtained while configuring Azure AD as Identity provider in Keycloak), and the type of application (Web app, Single-page app, etc.). Make sure to note down the “Application (client) ID” and “Directory (tenant) ID” as they will be required later.
- After registering the application, need to obtain the client ID and client secret, as they will be used to authenticate and get access tokens from Azure AD.
Keycloak configuration
- To integrate Azure AD with Keycloak, create a new realm or select an existing realm. Then, navigate to “Identity Providers” and click on “Add provider”. Choose the provider type as “OpenID Connect v1.0” and provide a name for the provider.
- Enter the following Discovery endpoint in the Identity provider page and metadata (Authorization URL, Token URL, User Info URL…) will be populated automatically.
- Provide the Azure AD “Client ID” and “Client Secret” obtained during the Azure AD registration process and save the provider configuration.
- Configure attribute and role mappings using Identity provider Mappers: We can map the User attributes provided by Azure AD to the user attributes in Keycloak. This step ensures that the user attributes, such as email or username, are correctly synchronized between the two systems. We can also configure role mappings to map Azure AD roles to Keycloak roles if needed. We can leverage Keycloak’s authorization capabilities along with Azure AD’s user roles and group management.
- Create a client for the application in Keycloak and select Access type as “Public” and Authentication flow as “Standard flow”.
Once the integration is set up, we can configure our applications to use Keycloak as the IdP and enable SSO with Azure AD. This involves redirecting users to the Azure AD login page, where they can authenticate with Azure AD credentials. Upon successful authentication, Keycloak will provide the necessary tokens for subsequent authorization.
Use Case #2: East-West Authorization Between API and External Application
Keycloak can manage fine-grained, policy-based permissions for APIs, enabling secure communication between APIs and external applications.
Problem Statement
Securing communication between APIs and external applications is a critical requirement for modern businesses. Traditional methods of securing these communications can be complex and difficult to manage.
Solution
Keycloak provides a robust, policy-based authorization service that can be used to secure API communications. This allows businesses to define fine-grained permissions for their APIs, ensuring that only authorized external applications can access them.
Keycloak offers several components to enforce authorization, including resources, policies, scopes, and permissions.
- The resource can be an API endpoint, a data object, or any other granular component that requires authorization.
- The policy defines the rules and conditions for accessing a resource. Keycloak supports multiple types of policies, including role-based policies, attribute-based policies, and permission-based policies.
- Scope control what level of access is specified for the associated resources or endpoints.
- Permission represents a specific action or operation that a user can perform on a resource. Permissions can be associated with roles or directly assigned to users.
By leveraging these authorization policy components in Keycloak, we can create a comprehensive and flexible access control system for your application or API. We can define rules based on user roles, attributes, or custom permissions to restrict or allow access to specific resources based on your application’s requirements and security needs.
Use Case #3: East-West Authorization Between API, Microfrontend, and External Application with User and Customer Information
Keycloak can also manage permissions for more complex scenarios, such as communication between APIs, micro frontends, and external applications.
Problem Statement
As businesses adopt microservices and micro frontends, securing communications between these components becomes increasingly complex. This is particularly true when these communications involve sensitive user and customer information.
Solution
Keycloak’s policy-based authorization service can also be used to secure these complex communications. This allows businesses to define detailed permissions for each component, ensuring that sensitive information is only accessible to authorized components.
The script claim policy in Keycloak is designed to enhance the security of API endpoints by authorizing requests based on an API key. This API key serves as a unique identifier for the requesting application or client, ensuring that only authorized entities can access and protect the endpoint. By incorporating the script claim policy, along with access tokens and other role-based or client-based policies, an additional layer of security is added to secure API requests that involve sensitive information.
- Custom Protocol Mapper: Use the custom protocol mapper feature in Keycloak to extend the default attribute mappings between identity providers and Keycloak’s user model and to include additional information in the tokens, such as user roles, permissions, or any other relevant attributes. These attributes provide context and information about the user and their authorization.
- JS Policy Configuration: Create an authorization policy using the JS policy type in Keycloak’s administration console. Define the conditions and rules that need to be evaluated to make access control decisions based on the attributes present in the tokens.
- Custom Logic: Within the JS policy, access the attributes from the token, including both default attributes and the additional attributes added through the custom protocol mapper. Write custom JavaScript code to implement the desired access control logic based on the attributes’ values and any other contextual factors.
- Access Control Decisions: The JS policy’s custom logic evaluates the attributes and conditions to determine whether access should be granted or denied. The policy can consider various factors such as user roles, permissions, or any other attribute included in the tokens. Based on the evaluation, the policy decides the access control outcome.
- Dynamic Authorization: The JS policy can incorporate real-time factors or dynamic conditions during the access control evaluation. For example, it can consider the current time or session state to make context-aware authorization decisions.
By using a custom protocol mapper to include additional attributes in tokens and combining it with the JS policy for custom access control logic, you can achieve a powerful and flexible authorization mechanism in Keycloak. This approach allows for granular access control based on custom attributes and conditions, providing a robust and adaptable security solution.
Conclusion
Keycloak provides a powerful, flexible solution for managing identity, authentication, and authorization. By handling these concerns externally, Keycloak allows businesses to focus on their core competencies, while also ensuring robust security. Whether integrating with existing identity providers like Azure AD, securing API communications, or managing complex permissions for microservices, Keycloak has the capabilities to meet a wide range of business needs.