 Hello, hi everyone, welcome to the presentation about Keycloak and financial grade API, so called FAPI in shortcut. So about me I am working as software engineer in Red Hat since 2009 and I am working on Keycloak project since 2013 and I am a graduate of FIMUNI so I still remember this building few years ago just out of curiosity. So Keycloak, is it someone here who has some experience with Keycloak? Ok, thank you, so some people have experience and I will just shortly introduce Keycloak and then I will talk mostly about Keycloak and FAPI. So Keycloak is like authentication, it's web application and it provides authentication for web applications mostly and it provides SSO which means that when you integrate Keycloak with your applications then you can login just once and your users can automatically login to all your applications because of the SSO like single sign on. There is also single sign out so when user log in, log out from his browser session then he is automatically logged out from all the clients. And communication between client applications and Keycloak server is based on protocols like OpenID Connect and O2 and Summall. So there is also identity management so Keycloak has stores all the data about users and roles and other metadata in relational database so that when you use Keycloak you don't need to care about persistence of your users and their credentials in the database because Keycloak takes care for all of this for you. So there is also obstruction for clients and each client represents one application so that just trusted applications can be permitted to use Keycloak for login their users, which is also important from the perspective of the FAPI. Keycloak has also UI like admin console for administrators, account management for the users where users can manage their accounts, their profile, their credentials and other things. There are login forms and registration forms, which are displayed to users during login so you don't need to provide any UI because Keycloak does this for you. But there are also teams, which means that you can customize the UI if you want. And there are other cool features like social brokering, which allows delegate Keycloak login to social providers like Facebook or Google or Twitter or others. Or other OpenID Connect provider. There is possibility to provision your users from LDAP, for example, or from other third party user storages. And there are various two-factor authentication mechanisms supported like TOTP or WebAuto. There is support for Kerberos, for example, and various other things. And regarding your applications, on your application side you may need to have OpenID Connect adapter, which implements client side of the OpenID Connect protocol or SAML protocol. But with the context of FAPI, the OpenID Connect is more important because FAPI integration uses the OpenID Connect only. And you can either use third party adapters based on OpenID Connect or the Keycloak. Keycloak also has some adapters for some platforms mostly based on Java. So the typical login flow works in a way that user opens the application and clicks some kind of login button. And application redirects uses browser to Keycloak login page. And user authenticates, and then application sends the authorization response to the browser. And this authorization response is processed by the application, which passes some data from it, like authorization code, mostly. And application then needs to send so-called token request to exchange the code for the tokens, which can be used by applications to tokens have data about users and can be used to send requests to other services. And the token request is sent directly from the application to Keycloak server, so this communication happens outside of browser, usually. And when the client application has the tokens, it can use it to invoke some other services, and the services can verify if the token really comes from Keycloak by verifying the signature or by sending the request to Keycloak to check if this is really trusted token. So that's about Keycloak in general, and now about FAPI and what is the FAPI. So financial grade API or FAPI is set of rules to be used in the financial and banking applications. And it's mostly focused on these applications, but it can be used in other kind of applications as well. And it's like those applications used standard OpenID Connect and Oout protocol, like OpenID Connect is the extension of Oout. And FAPI has set of additional security requirements for the Keycloak and for client application and for the service, which has some additional security restrictions, which those parties need to implement. So it's like more secure OpenID Connect in shortcut. And FAPI, current main version of the FAPI, is FAPI 1, which has like two main specifications, like called baseline and advanced. And FAPI baseline is less strict and it's targeted for the clients, which needs to protect APIs with moderate inherent risk. And it has some requirements for key sizes and algorithms, which needs to be like more secure than what the OpenID Connect allows by default. For example, it requires that consent screen is always shown to the user during authentication. It requires PICC, which is like some kind of the extension of OpenID Connect, targeted mostly for the public clients, which increases security in a way that just the trusted client can exchange the code for the token. And for confidential clients, which are client applications, which needs to authenticate to Keycloak during the login, the client authentication mechanism needs to be secured based on JWT or MTLS. Like if you are familiar with the OpenID Connect, you may know that the most widely used client authentication mechanism is based on client secret. So in the token request, the client usually sends just a secret and it's just plain text string, which Keycloak can verify. So this is easy, but it's not so secure, so FAPI tries to mitigate this. And FAPI Advanced is targeted for even more secure for the client applications with high requirements of security. And it has even more strict requirements, like it requires that authorization request needs to be signed, and authorization response needs to be also protected and against tampering. Also, it requires sender constate access tokens, which means that client applications, when communicate with Keycloak, it uses Mutual TLS, and the tokens sent to the user has some kind of hash, which is based on the certificate sent by the client. So there are also some regional variants of FAPI, and various regions have their own flavors of the FAPI specification. Like, for example, Open Banking Brazil is used by Brazil financial institutions, and Australia CDR is used in Australia, Open Banking UK. It's based in the UK, and so on. And Keycloak is, among other things, is used by, provides also Open Banking Brazil and Australia CDR. And it has certifications with these platforms. And FAPI certifications, like the OpenID Connect Foundation, has some certification, which allows implementations like Keycloak to be certified. And, like, if Keycloak, like, there is some, like, shared test through it, which the implementations can, like, use. And if they pass the certifications, they can, they are mentioned in the certification page as officially certified implementations. And Keycloak is certified with OpenID Connect, and also with FAPI Generic and FAPI Siba, which is, like, extension of Siba targeted for client applications without browser access. So, now client policies, client policies is Keycloak feature, which is used for easily set up Keycloak to use, or to conform with the profiles like FAPI. And it enforce client behavior for various, in various events, like during the OpenID Connect requests. And this feature of Keycloak makes it easier to make sure that your client supports FAPI baseline or FAPI advanced according to your requirements. Here are the building blocks of Keycloak, of client policies, but I will probably skip directly to the demo, and I will try to show that in practice. So, is it visible, or is it, 10 minutes, okay. Thank you. Yeah, so I have some simple demo application, which is just used to show some, like, workflows of OpenID Connect. And, like, first, I can start with sending requests to OpenID Connect well-known endpoint, like Keycloak, and each OpenID Connect implementations has so-called well-known endpoint, which client application can use to retrieve some metadata about available algorithms and endpoints, where the browser can initiate login, or where token request can be sent, and so on. And in next step, I can register client application, because OpenID Connect also provides a way to register clients. So, for this, I need some kind of the initial access token. So, I can log in to the Keycloak admin console, and here in client registration, I can create initial access token, which can be used to register 10 clients, and it expires in one day. And it's this kind of string, which can be copy-pasted in the application, like this way. And now, I can register client. Our client registration request looks like this. It has some methods, and now I want to register, like, public client, which does not require client authentication. And at this moment, I don't have FAPI enabled, so I have just plain OpenID Connect. So, when I have client registered, I can see how the login URL looks like. This URL is used by the browser, and it contains, like, various parameters directly in the QD string, like client ID is the references to client application. The directory is where I will be directed after the keycloak, where I direct user after successful login, and so on. And now, when I click to this link, it directly relates me to the keycloak login page. And in FAPI, it's common practice to, like, enable multi-factor authentication. So, for this user, I have enabled, like, web out in security key, which I can log in. It's, like, security key on, which I have connected on my laptop, and which was previously registered to the user account. And now, like, authorization response was, after successful authentication of the user, the authorization response was sent to the, like, to this URL. And, like, client application then used token request to send, to use the code from the URL. The code is here, and some other parameters, and it sends to the keycloak, to the token request, to the keycloak token endpoint, and the keycloak returns, like, set of the tokens. And these tokens contains, like, signed JSON strings with some data about the user and some, like, various metadata. And, like, now, when I want that my, I want now to be my client applications to be more secure and support FAPI, so I will, like, each, like, in-tap client policies in the keycloak admin console, I can see that there are profiles, which are already defined in keycloak by default, and there are profiles called FAPI baseline and FAPI advanced, and FAPI baseline is the profile which enforces the rules for FAPI baseline specification. So, like, yeah, so clients, clients who, like, if client needs to support FAPI baseline, if, for example, needs to use PICC and secure URLs based on HTTPS and constant required and so on. And it's not used by default because there is no policy, so I will need to create policy, which is, like, linking between the profile and the condition, which I can specify. So, for simple use case, I want all clients in my realm, like, all my clients to be FAPI baseline compliance, so I will create condition any client, which applies to all the clients, and I will link this policy with the FAPI baseline profile. And now, now when I save this policy, all clients must support FAPI, or must use FAPI baseline, so now when I register client, another client, and create login URL, it's this kind of same URL as before, and when I click login, keycloak returns me some error that there is missing parameter code challenge method, and this parameter is exactly enforced by the FAPI, and it's used by PICC, so I will mark here that I will use PICC, and here my create, now create login URL needs to contain, like, additional parameters, like code challenge, and code challenge is the hash of some random string, which was generated by the client, and client will later send it in the token request, and keycloak will then verify the hash, which is sent in the authorization request, is same as the verifier, which is sent, like, in the token request. So, yeah, those are maybe a little bit complicated concepts at the first look, but, like, when you are used to OpenID Connect protocol, it may not be that hard, and now when I click login, I have another restriction, because there is also missing parameter nonz, which is, like, random parameter, which needs to be also generated in the login URL, and it will be then presented in the token, and client can verify after the authentication, if nonz, which it generated before authentication matches with nonz from the token. And so now when I login, I am finally able to be redirected to keycloak and login user, and because user is already authenticated, he doesn't need to provide the credentials again, but he needs to, like, approve that he wants to, like, share his profile data and email address with the client application, which is showing this screen is exactly also requirement of the FAPI. And, yeah, so now user is authenticated, and there are, like, tokens, and, like, for example, ID token now contains this nonz claim, which client needs to verify if it matches with the nonz, which was used before. And in similar manner, there is, it's possible also to, like, integrate with FAPI advanced, and now the requirements are even more strict, but we have, like, we have, like, quite a short amount of time, so are there any questions so far? Mm-hmm. Mm-hmm. Yeah, so if I understand correctly, you mean that, like, yeah, so your application is, like, integrated with keycloak, and keycloak, yeah, so keycloak can, on the login screen, keycloak is able to delegate authentication to social providers like Google so that, like, in the login screen, like, like this, there will be button, like, signing with Google. Maybe I can quickly show some kind of demo. Like, in keycloak, you can create so-called identity providers, and if I create some, like, I need to fill properly some metadata from Google, but when I do this and now, yeah, so, when I log out the user and login again, okay, so I think that, yeah, yeah, so, yeah, so now the login screen would contain some button and it can delegate authentication to Google, or other social provider, or other OpenID connect provider. Are there any more questions? Mm-hmm. For example, let's say we hear the company, we use keycloak, but we want to provide, we want to show that we are security compliant with something like ISO or SOC security specifications. Does the keycloak has something to help with that? Maybe the keycloak is compliant or has their own certifications? Yeah, so that's a good point. Keycloak is certified with, like, the certifications like FAPI, which is exactly used by this. So, for example, OpenID foundation has certified, list of certified providers here, and, like, keycloak is, like, one of them, and it's also certified with OpenID connect providers. The certifications, which you mentioned, I'm not sure what they are exactly, so I don't know if keycloak is compliant or if keycloak clients are compliant with them, but, yeah, like, we can, you can try to ask on the community mailing list in keycloak, and maybe you will receive some responses, maybe from other people from community.