 so thank you for being there I was not expecting that many people and I when I saw the queue it was just wow okay so I've just 30 minutes so this pretty quick I'm going to talk you about security more about authentication identity management with key cloak just a few words about myself I'm Sebastian Blanc I'm half French half Dutch so Belgium is some kind my natural country joking you can follow me on Twitter if you want to follow my tools I work for Reddit for now five years and I'm working on the key cloak project and what is key cloak so in I do you I do hear the short version of my presentation because I want to show you the demo which is the most exciting part of course but usually doing security adding authentication to your apps is painful and but you have no choice there will be a moment in your in your project that you will have to implement authentication you have to manage your users the identities and you will do it in a wrong way I can tell you that so why not delegate your security that's what Kim does you know she delegate her security to this really nice bodyguard he has been fired since I think but but that is exactly what key cloak is key cloak key cloak is a server that will take care for you of all your authentication identity management and alteration stuff I've yeah that's the pitch so but a picture is always the best explanation so imagine key cloak key cloak you will give them a room that's really hard work say to me I say territory you give them a territory to secure and on this territory you have different applications so let's imagine this island that's our territory that key cloak will secure and we have different cities there and the North we have GE land no no ones want to go there anymore we're not sure why on the contrary on the seaside we have angular land wow that's the place to go everyone wants to go there we have microservices land not sure what is happening there and of course the king of the world no GS land and you arrive with your boat and you navigate to angular land so imagine you open your browser and you navigate to your angular app you arrive there and yeah border control say hey mr. Sebastian Blanc you are not authenticated please go to the key cloak island to get authenticated and you get redirected basically you get an HTTP redirect to the key cloak server and what's happened there well you here you are on the key cloak server you enter your credentials and if everything is okay just like at customs you get a stamp and what is the stamp exactly well it's not just a randomly generated token sorry let me just put it back here yeah it's not a randomly generated token it's more than that it's a jot I don't know why we say jot it's so a JWT for jiv and what token so what is this token well it's a self-contained token we say that to to mean that the token itself contains payload and it's signed so it can be verified we quickly how does this token look like you always have a header specifying which algorithm you use for the signature which type of of token it is in this case a jot the really important part are the claims the claims is really the payload of your token there are some mandatory fields in there but you can also add whatever custom payload that you want okay and then the last part is a signature how does it work with key cloak key cloak as a key bear private key public key you will use his private key to sign the token and we will see the apps talking with key cloak that receive this token will use their public key to verify the signature though once that's done it's compressed that's how a token looks like you can see the header the claims and signature are separated by a dot and yeah that's what I said I imagine a back-end app a rest app you receive a request from a front-end app and in the request there's a token well he will first if it's the first time he will retrieve the public key from the key cloak server and then you will use this public key to verify the signature of the token to see if the token is valid or not so I'm just checking the time because you are all yeah I have a lot of time okay so that is what basically key cloak is key cloak of course is an open source project everything that I will show you here is open source and that means that you can contribute and so if you want to contribute to documentation or doing some backfaces fixes or you have a crazy feature in mind if you make a nice go request with the ticket with tests and everything and documentation well if it works well and if it fits a use case for everyone we will just chip it in the next release so please do it so protocols we try to push forward open ID connect that's our default protocol but of course we know that a lot of people are still on summer to so we also support someone to we support a carborus as well social login brokering that means if you want your users to use their Twitter Facebook get get up account whatever open ID account they can just use it I will show you that in the demo it's just a matter of checking some boxes and they're your credentials of your Twitter app for instance and you have the brokering in place user federation that means that's your in your company organization you probably have an LDAP an active directory well the nice thing is that key cloak and bridge with this LDAP that means that you can use your LDAP credentials through the key cloak system and we have a different ways of of managing that we can have a full thing that means that each time that the user is created in LDAP we also create it in a key cloak we have a read only mode that means we only do brokering we just read the credentials from LDAP we have of course single sign-on that means that in your browser if you connect to one app of your realm and you open another tab and you connect to another app from the same realm you won't have to log in again okay and in the same way we have single sign out that means if you log out from one app you will be logged out from all your other apps so we offer quite a lot of stuff but if you have really a particular use case in your company particularly type of authentication or a really weird way of user storage well we offer SPIs that means that you can easily extend key cloak to fit your needs we provide a whole set of examples for instance for user federation we show you how you can read users from a text file stupid but yeah it's just to show you how to implement all these classes to add your own user federation user account management is another nice one is that is a set of pages that we give to the user that is authenticated where you can manage his profile so basically it's a link and you are really expected back to key cloak but it's a page for the user where you can update his email we set his passwords changes user details stuff like that more than that speaking I was telling you about the public key that the apps have to retrieve in the first version of key cloak this public key had to be coded had to be hard coded sorry in the application it was fixed since a few releases we have now key rotations that means that the app doesn't need to know the public key it can just ask for the key to key cloak we have stuff like brute force detection that you can enable you can fine-tune that one time password that's not a one really nice so if you want to add some extra security to your authentication process you want to add OTP one-time password while it's just a matter of checking a box and then you will be able to use your free OTP or Google Authenticator as extra step for your authentication beside authentication we also have a whole layer of authorization which is exactly the same thing I could probably spend two hours speaking you about authorization but yeah that's not really the point of this talk today but you know we have it and we are currently pushing you know probably for authorization the protocol UMA 2.0 so we should be UMA 2.0 compliant in a few weeks okay this this for the slides just to mention we are open ID certified and nice thing I don't know if you know the tech rather fuck fuck works it's also a really hard word say for a French guy fuck works and we were really happy in the team because we entered the radar and we are progressing in the radar and that's a really good sign on the community side so Chiklok is almost four years old and since last year you can really feel a boom in the community I can see that on them on the mailing list in conferences you can see it with a pull request we get so the community is really booming and that's really great to be part of such a project okay so now I just want to show you basically how Chiklok works in will so assuming you never did anything with Chiklok where you start how do you set it up etc since it's a short presentation I won't do a lot of live coding I have apps already there just to show you how these apps can connect with Chiklok so if you want to play with Chiklok the best place to go is at Chiklok.org and there I've no internet okay let me just I don't know if I need internet but anyway it's there fast then oh no fast then we look oh it's not really okay it's not okay should be okay because I don't really need it I have already downloaded it as you can imagine you download the server is zip you in zip it whatever wherever you want and you start it it's what I did this morning I and zip my Chiklok distribution and then I just have command to launch it here I just give an extra parameter to have a port offset because otherwise it will conflict with my other apps that I will be running so basically Chiklok under the hood it's a wall fly so I don't know if you know wall fly wall flies application server from from reddit as well and it's a naked wall fly that we wrapped with the Chiklok functionality so my server is running here and then I can go there and since it's a really first time I connect to my server I have to create an admin user so let's create a really secure admin admin user here we go and now I can go to my key cloak yeah that's so weird bug from chrome sorry it's really confusing and I'm the only one in the team having this bug so fedora now I'm joking that's my key cloak console that's here where I manage all my willms my users my walls my clients so what is a client for key cloak a client for key cloak is any app that you will secure could be a web app could be a backend app whatever for key cloak it's called a client okay so let's just create a new room and let's call it to fast them okay have my new wheel and here I will start by creating a new client and the demo I'm going to show you is a really nice app called the product app it's an app where you can see products awesome and I just save that I can keep here all the defaults and here we can see for instance the client protocol is open ID connect I could switch to some all but no let's have fun let's stick to open ID it's a public line okay and the only mandatory field I have to fill here is the redirect we really that means that my app when it will be redirected to key cloak it has to be redirected back once it's logged in and I have to add here my URL of my app so my app will be running probably a port 8080 and that's it okay let's create and sorry let's create a wall let's call it user a wall user okay and I need a user so let's add a user let's call it Siby that's my nickname I save it by default I don't have any credentials so I have to create some defaults some first credentials here so here I create a Siby Siby and I can keep that that if I leave that temporary the first time that I log in I will have to change my password but for demo here I just switch that off I change my password and the last thing I have to do is to assign the wall that I created to Siby so now I have the wall user okay and I'm I'm done now I can start now I can connect my app to key cloak how does that work so I forgot to mention you key cloak we have the server and then of course for the application we have libraries we call that adapters which are small libraries that you have to install in your apps to be able to speak with key cloak to verify the signature during the redirect so we have adapters for almost all the Java application server a wall fly EAP for all the server containers Tomcat jetty we have a Node.js library we have a JavaScript library for the frontend and we also have a spring boot adapter and that is what I'm going to show you it's not this app so basically I have my product app which is a simple spring boot app really simple MVC app I have a landing page is my public page with a link to my product and what is my product my product is just a template that will list the products that are retrieved here in my controller where are the products coming from so that is a second app which is running here it's just a rest app let me just it's a really simple app as you can see that that's only that it's in Kotlin just to have a bit more fun here I just expose this past products and when this West Endpoint is called it retrieves a list of products okay and so my my app here retrieves this product and puts it in the model and they are shown okay that are two so we have two apps here and what do I need to do to to get it connected with key cloak well since here it's a it's a spring boot app it's pretty simple all I have to do let me see and now and start to oh here sorry this part the dependency that that's just one dependency that you have to add to your app and it will be a key cloak compliant then of course you need to configure your app to be able to speak with key cloak where this that happened in a spring boot app that happens in the property file and here let me see sorry oh come on okay you can see it is here the really important one is this one I tell him where is key cloak running okay what is the wheel so that's a good point that I show you that because we have to change that it's fast them the resource is the name of my client here is the product app and it's a perfect client okay and it's a spring boot app I'm using here spring security I don't have too much time to explain you how spring security works but just our adapter makes it possible to combine spring security and key cloak and the important part here is just with spring security what you always do is you have to create a security config class that's what I do here but the important part here is that I have this matcher here say any request for products must be authenticated and the user must have the role user okay and if we take a quick look at the red app same here here I'm not using spring security here I'm just secure securing the content the sorry the servlet container that is wrapped with my spring boot app in this case is Tomcat but it could be undertow or jetty it's supported as well so the same here I specify my config and here that is basically how I define my I don't know if you know a bit about Java security constraints usually you put that in a web.xml file here we define it this way so basically I create a security constraint for the role user and important part here is that I just provide the same pattern so any call well thank you yeah well yeah well to be honest he will use he won't use this is a oh yeah that's a good point I can explain you that that's a bearer bearer only app that means that there will be no redirect from this app because it makes no sense it's always an other app calling this app so it makes no sense there's no human behind it so it makes no sense to redirect to a logging screen so it only accepts calls that contains a token otherwise it will just return 403 and to be honest yeah here I could we move the wheel here because he won't use the wheel the only thing he will use is this to be able to retrieve the five minutes left wow okay so let me just launch it because five minutes left wow that was fast let me run the app I run my back end app okay fortunately it's spring boot is running pretty fast I run my front end app okay so is it running yeah it's running let me open Incognito window let me go to 8080 okay here you can see my CSS skills impressive landing page very very modern use and here if I click on my products if the demo gods are with me I should be okay I'm redirected to keep low you see and so here on the key close side and here I can use my credentials and I'm logged in and two things happen here so I'm logged in and my app made another request to the back end app passing the token in a request because if I go to my back end app which is we're running on 8081 I think products you can see here I get an authorized so if I just call it I'm not authorized to get it so I can log out awesome and let me just quickly show you room settings login imagine I want it to enable new users to register I don't want if I forgot my password I would like to send me an email I don't want to log in over and over again I just do that and if I go back to my app here and I refresh now you can see I can register as an user you have to remember me forget fast forward same imagine you you all have for maybe a github account here I enter my credentials I just hear dummy numbers okay I save that again if I go here and that I refresh now I could be I could log in with my github account okay or any open ID provider we just provide a set but if you have your own open ID provider that you want to use you just enter the URLs I'm undone or have I one minute left okay okay that's it I was about to show you how to secure a front end app but I'm running out of time but I think you got the big picture of what Kiklok is I will be here the whole day I think if I not crash back to my hotel but so if you have any questions you can ask them now or ask them later if you catch me anywhere thank you