 So the usual questions I asked at cube concert very beginning who's been using cake look for I don't know more than three years in Production maybe hands up All right, that's cool Who is using it for a year? In production all right who's been trying it out locally on the desktop Who's hearing about cake look for the very first time today all right cool Right, so we will be jumping right into the middle Still giving some introduction where she was coming from but maybe you want to look at the Amsterdam presentation for more in-depth early startup guide on cake look So we are true. Are we ready yet or not yet? We're ready. Okay, some pop. That's good So welcome Welcome to the talk ten years of cake look. What's next for cloud native authentication in OIDC? Together with me is here to Kashi no imatsu for me touchy My name is Alexander fruits from redhead. We are both maintainers on the key clock project and Guides you through the next 35 minutes and we will also do a Q&A then at the end Which will be part of the 35 minutes Right, so let's give it a go Key cloak more what is key cloak is an open source identity and access management solution. So basically It presents a login screen to the users and the initial commit I would say the birth date of that piece of software Was then in July 2013 and that's almost ten years ago. So that's why we named this talk ten years of key click Key look at the very beginning. Well, it was always presenting a login screen to the user putting in username and password and What do you need to do that? You need to have an open ID connect protocol implementation server Because that was new and hot stuff at the time and you need to have some services some database Some API is to store information about your applications Which are then kind of called clients and identities which are then called users, right and and from the very beginning It was from developers for developers. So you could always extend key cloak. It has API's it has Yeah, service provider interfaces as we call them you can do some Java programming and do the things that you need to do in your Environment with key cloak and that was in there from the very beginning and we kept that over all the time Soon after that we added more functionality. It was multi-factor authentication Client libraries So for all the for lots of frameworks during the time there were then implementations of key cloak clients libraries And we added things like SAML, LDAP all the things that you need in an enterprise context So that's how it all started and evolved over time And then it grew it grew over several years These are like the Google trends about the keyword key cloak that pointing upwards The GitHub stars also pointing upwards. So that's probably good and Well, and then it changed over time some of the bits changed here and there Because well open ID connectors not something that's static open ID connectors involving and we will hear about more about that from Takashi For example, if you're using your earlier version of key, but I think it was around key cloak version 18 where this changed When you click on a logout screen you now like pass on an ID token because people found out that's more secure when you're logging out So don't you don't trick your user into logging out And that was more standardized than and we changed the functionality of key cloak And when you upgrade from one version to keep it to another you might see this behavior change Of course, there's a switch you can use to have the old behavior for maybe a backup period The same is also like back channel lockout back channel logout being You're working with lots of applications They might have been sessions running and when you log out in the central locations all these instances of your application will get The call by a back channel not by the browser But by like a direct connection between the application running on some server and key cloak being triggered to logout that session This has also been standardized previously. There were like custom implementations in the key cloak libraries now it's been standardized which is great and standards help and That's also a trend that we see that lots of framework support or a DC and the more frameworks support Or a DC the more of our own own implementations client implementation we deprecate At the moment, they are kind of all deprecated. So we ask you to move to the over DC client limitations in your projects and We currently maintain only the JavaScript client that we also use in our own UIs Over the time the UIs have been remodeled multiple times at the moment I think we're at the admin UI number version 2 and the account UI version 3 is coming up so Yeah, so that's the way it is what keeps changing and With the latest version of key clock 22 you will see that will be upgraded to quaker 3 to have an h6 at jacquarta EE because while inside of key clock, it's Java on the outside on the web is then JavaScript In the front ends but if you're writing extensions for for key clock You might be kind of affected by that change that you need to adapt one of things in the extension that you write We supporting things like how to put out the scalars making it a good citizen of Kubernetes We had we passed a complete accessibility checks So we all the admin UIs for example are now kind of have a green checkmark in our internal check pipeline So that's a good thing so that everybody can use key clock and there have been lots of improvements around operator LDAP Open ID connect brokerage and Yeah, it's lots of small improvements, but Yeah, you will Yeah, we will see that it just works Hopefully for you or maybe a checkbox is added in one of the other places and then you need to well if something is not working You didn't find out Okay, maybe you want to check this checkbox. Yes or no There's also the key clock books second edition Published at the park publishing and written by stein and Pedro Being the project lead and another product maintainer and it's based on key clock 22 and the quarkus edition So if you're new to key clock have a look at the book and we also have it at the project pavilion With at the key clock stand So in if you want to get 20% off the book you use this discount code 20 key clock It's for therefore cube current attendees. You can use it both on amazon.com and packed.com So this is the project pavilion. We're there in the morning hours And there's the book. They are like flyers postcards stickers the you the usual thing you would expect at the project pavilion and Yeah, there are also some other talks on on the agenda that I want to highlight here So there's another talk from people that you touchy later today. There's a concert fest in the afternoon and Yeah, and tomorrow there will be another key clock talk So lots of things we can learn new and interesting stuff about key club. So what's then upcoming key clock 23 and beyond? So something that is has been in the works for quite some time and was attacked a Preview feature is the declarative user profile support and It has a strange name But the cool thing is it enables you a lot of users self-management then it's all about who Can change what? Well, what are the things that you ask a user when they self-register? Do all the questions all the attributes that you ask for is the user that allowed to change them? Is an admin allowed to change them? Is an admin allowed to see them? So that's a very Well cornerstone for users self-management and admin management of of users and key clock We will hear more more about deep pop and happy 2.0 in the next part of the talk And well as usual their performance improvements for example groups and held up So we had a community contributor who did a great job there and improving The group support and make it more performant by an order of magnitude We discontinued key cloaks map store and instead chose to evolve the current store Yeah, so if you heard about the map store, it's more. Yeah, it's now discontinued But we will Improve the current store to take on the challenges that we try to solve as a map store so having a look at the key clock declarative user profile, I prepared a short demo if I Yes, let's see where they are so the thing is you can Demo declarative user profile there we go So you can run key clock in the dev mode some starting key clock as age slash dev and This is then starting key clock in a couple of seconds and I go to the browser and and login I used to have a browser somewhere. Yes, I do and if I go to the Where I'm settings here, I don't see declarative user profile because it's a preview feature and What I then need to know I need to go kick kill my key clock and run it again with the features declarative user profile enabled and Then it starts again. It will tell me. Okay. Now it's enabled it's starting and Wanted started I can log in again And I now have a checkbox here saying user profile enabled I enabled it before so it's already on and Just to see how powerful user profile is I have here all the questions I will ask new users when they register and I can go in here and say who has permission to edit it to view it What validations like should that be any prohibited characters? I can add maybe a regular Expression for usernames so people don't choose crazy usernames So this makes it. That's really a key cornerstone for user self-management That's currently in trivia. You can try it out and will soon be Soon whatever that is in open source world be ready to use in a production environment, right? So going back to the slides. Let's see that was declarative user profile in the nutshell We're also doing lots of benchmarks in the key club benchmark project So you will if you go there and fold the link at the end you will see there are We will show you how to calculate memory and CPU requirements We will have guides to set up key looking across DC setup for active passive We're hoping to complete this by the end of the year So how to configure key club was an external in the finish man and finish man into data centers So that's what we're currently working on and we will then soon also have operational procedures for both failover and switch over Yeah for everything running in on a Kubernetes environment The next cool thing is well, that's currently in the works It's an open key clock open ID connects CLI and I think that's the first time it's going to be presented anywhere So premier for a disconference. So the idea is We see well key cloak is Used to be there for users and we've seen people using key club with hundreds of thousands of users but then it's Open ID connect also makes its way into I would say machine to machine interactions And you want to have CLI tools to do open ID connect and We've seen like installations where they have tens of thousands and even more clients in key cloak So something that does surprise me at the first site, but there are lots and lots more clients being that you need to manage and do things and the idea is if you want to test Open ID connect and you might want to have a command line tool that you can configure for different providers flow accounts You have different flows you want to support you want to decode a JWT token I don't know how many times I went to a website and paste it there at the JWT token to analyze what's in there. So Yeah, for those who like Command lines, this is the tool for you, but it also integrates with Cube CDL It includes a token cache and you and if you go to the website you find out how you can make it work So your communities cluster users key cloak To authenticate access to that cluster So there's also a short demo I prepared So let's see demo CLI So what I do I start key cloak again in dev mode. I don't need to start it with any Profile nothing at all. And if I then started I can run a command called Should be there somewhere There should be the CLI command. It's pretty it didn't print it out so I can Yeah, I can configure This is KC or IDC. I can configure it to set maybe which kind of client I want to impersonate here what kind of client secret there is and this is like the command line help I can then Configure this client using KC or IDC config set the context the issuer the flow I want to use for which client when I want to use I can then say KC or IDC token which then says Yeah, I want to log in. I want to get a token I then log in here using my test account that I previously created and then I'm authenticated and Then this shows me on my command line the already the token that is here I can then also use the command line to Well, this is then saved in the folder dot KC if I want to I can also keep it only memory So I can use it in multiple iterations. I can later refresh it and I can then for example use the command line tool and say KC or IDC decode dash dash token equals that token And it will print it on the command line What's then in this token with all the debug information that I am previously always paste it into a website and figure out What's in the token which is really really nice Yeah, and that's then the command line tool and if you then continue a little bit deeper in it you will see how to set up Kubernetes and KC coupe CDL command on the command line to To connect to key clock, sorry to connect to key clock to connect to Kubernetes and to make it all work with Checking these tokens that are then passed back and forth right So click look as I said is an open-source identity and access management solution We have lots of authentication standard implemented and tested you can integrate it well into your existing Infrastructure their service and API is for managing clients for users Profiles everything you can manage it all using rest interfaces using a web UI or using another CLI tools KC ADM that I didn't show today Again, there's a variety of Sources about where you want to get your data from and store it to that you can use database You can use LDAP you could use custom storages where you want to store your users credentials, whatever And with this upcoming user profile thing. It's really really well Prepared for user self registration user self management when it comes to these attributes and Well, there are tokens everywhere You can use them for applications. You can use it for communities clusters You can use them in browser. You can use them on a command line and the tool that I showed today It's very in its infancy You can give it a try and it will It will evolve over time and we will see I think more OIDC Communications on a machine to machine level using Yeah, and you can test this very very nicely with this kind of tool right So these are the links about the things that I showed you here and I'm now handing over to The second speaker Hello, everybody. I'm very happy to today have a talk about key clock So in my turn, I'd like to emphasize on supporting API Security open standard and which is on to key clock and also the community activities Before my talk let me introduce myself to you briefly My name is Takashi Norimatsu Key clock maintainer in the senior OSS specialist Hitachi Limited Japan. I have been contributing many security features on to key clock since 2018 For example, and W3C, we have a sensation API support sender concentrate open support and API security profile support To some more precisely Financia grade API security profiles in my talk In the beginning I would like to test you Why? Supporting API security features to key clock is important and Next I'd like to tell you how key clock supported this API security open standard and features As you may know connecting several Services in several domains via API's generate large market in digital business sector For example, now online payment services But Due to their niche API's are exposed publicly therefore An attack collection try to access these API's improperly illegally therefore, we need some mechanism to detect and prevent Such kind of my just API access So securing API access is inevitable to drive this our business sector I'd like to talk about one of such example in digital business Online payment services sometimes called open banking that uses API and also to authorization protocol In this use case the financial service provider namely bank Provide their financial services to their end users via API's end users uses third-party client application then this client application Access API on behalf of the end user to receive financial services from the bank By using OS 2 success token This success token shows that The end user granted This third-party application to access the API on behalf of them This use case requires high security level on accessing the API's Therefore simply applying OS 2 authorization protocol is not enough to Realize such security level So what should we do one of the example one of the answer is to apply OS 2 based security profiles one such here example is Financial-grade API security profile called FAPI security profiles That were standardized by OpenD foundation This the FAPI security profiles hardens the OS 2 Authorization protocol and OIDC authentication protocol. Therefore FAPI security profiles are more secure compared with simply applying OS 2 authorization protocol These FAPI security profiles are actually used in the real world UK open banking in Australia consumer data rights in Brazil open banking and or open finance Brazil in Saudi Arabia SMHSA open banking then so Keyglock supported this API security profiles so next I'd like to tell you how Keyglock supported this API security profiles for API security features To say shortly By community activities and a lot of contributors contribution As far as I know there are two such kind of community activity FAPI SIG and OS SIG OS SIG started August 2020 and ended this June The main objective of this FAPI SIG was to support FAPI security profiles and with related security features on the Keyglock Then the OS SIG that started this July Is a successor of FAPI SIG FAPI SIG and largest scope of the FAPI SIG The main objective of OS SIG is not only Supporting FAPI security profiles and with related security features on the Keyglock, but also the other security related specification and features to Keyglock Both activities uses the Github's repository and Keyglock organization This slide shows the main contribution by FAPI SIG and OS SIG Please note that some of them Were mainly contributed by FAPI SIG and OS SIG but others Were mainly contributed as a contributors and FAPI SIG and OS SIG helped this contribution to be merged onto Keyglock main story For example by reviewing their requests The other result of this activity The Keyglock got certified the FAPI OpenIND provider and Keyglock 1502 It got the following four types of the certification FAPI 1.0 Final version part 2 and FAPI SEABA, OpenPantern Brazil and Australia CDR This slide shows the timeline in FAPI SEABA and OS SEABA Please note that it's not an optional Keyglock roadmap Just a mission before the Keyglock started August 2020 the main objective is to support FAPI security profiles to see more precisely FAPI 1.0 into FAPI SEABA CDT profiles and Also FAPI SIG worked for supporting market specific security profiles Australia CDR and OpenPantern Brazil The result of this activity and also the other contributors Contribution the Keyglock 15 supported FAPI 1.0 Final version FAPI SEABA Australia CDR and OpenPantern Brazil security profiles Then the FAPI SIG continued working on the supporting FAPI security profiles the FAPI 2.0 the NICS version FAPI 1.1 and RSE 9449 Demonstration of proof of possession that is used Optionally realizing FAPI 2.0 security profile FAPI SIG also Worked for supporting the market specific CDT profiles UT Open Banking and Open Finance Brazil The result of this activity and other contributors contribution the Keyglock 20 supported UT Open Banking and Open Finance Brazil implement the last version 3 CDT profiles So the therefore the main objective of FAPI SIG was Successfully achieved so the FAPI SIG activity ended and newly the OSIG activity started and also the OSIG still continued working for supporting FAPI 2.7 and D-POP And but also the started the other working items The past key and right-weight token LDSA OIDC for IDE and OIDC for VCI I'd like to test you these newly started working items in more detail later on Now the result of these activities the Keyglock 20.3 Will support the FAPI 2.0 implement the last version 2 and D-POP as a technology preview and past key also a technology preview and right-weight token So I'd like to test you the newly started working items in OSIG First item is past key Past key is passwordless authentication that replaces WCC web awesome futures that Keyglock already supported and Second working item is right-weight token as you may know Access token of that Keyglock issues include a lot of information sometimes called self-contained token or Assertion token So this right They access token include an authenticated users information Sometimes called personable identifiable information This right-weight token allows Keyglock to remove This PII from an access token There were client abbreviation that received this access token from the Keyglock Cannot know this PII Third working item is a adverse curve digital signature algorithm ADDSA The main motivation of supporting this ADDSA is to prepare for preparing for existing algorithm Signature algorithm being compromised in the future The fourth and fifth working item is about OIDC extension Open ID connect for identity assurance OIDC for IDA and Open ID for verifiable credentials insurance OID for VCI Yeah, OID for IDA that allows the Keyglock to add Assurance information on an authenticated user to ID token and user for response So therefore the line party does receive this token and the response can facilitate the verification of an authenticated user and also Evaluate how assure the authenticated user information is Then the OID for VCI As far as I know the in my opinion Why they for PCI is mainly used in dead centralized identity system This OID for VCI allows Keyglock to issue the verifiable credential of the user That can be verified by verifier in dead centralized identity system In my opinion The supporting this OID for VCI is the first step Towards the realizing that Keyglock can be used not only In centralized identity system, but also in the centralized identity system then the O6 not only the Right course and sending progress, reviewing progress, but also holding the committee event called Keyconf Keyconf 23 Was held on this June at London United Kingdom The participants Discussed the Keyglock use case and also how to implement their own futures onto Keyglock So we are very happy if you join this Keyglock community activity sorry, so So finally, I would like to wrap up my talk The recent years the Keyglock community activity for PCI supported API security futures onto Keyglock mainly FAPI security profiles and updated committee activity O6 Enhanced scope of this activity not only supporting API security standard, but also Supporting other security futures and standard that are mainly related to OS and OIDC And we are very welcome and kind of the contribution to Keyglock That's all for my talk. Thank you very much for your listening. All right. Thank you very much And we have now two minutes for questions I know that there is a microphone in the very middle where you can go to announce your question If you prefer to ask your questions from where you're sitting, I will repeat it afterwards so the people Who will watch and record a talk will also hear it So what are your questions? Okay, I repeat the question so the question was about how to do decentralized Identities of this Keyglock and what's the future for that? so OIDC for PCI so we or we all see Newly country newly started these activities, so therefore In this situation, I've not yet I've not yet planned which kind of the level the Keyglock Tried to achieve in the ID So we have received the continue to the working of this activity and Maybe in the future find out the which level of the ID it can be achieved by Keyglock. Is that okay? Thank you Okay, there's a question on the microphone Yeah, I'm curious about the Keyglock operator if there have been any improvements there and also the scalability improvements around clustering and caching around that that was one and if you can take a second one Yeah, why don't you go okay the question about the operator and it's done also Doing the optimizations Yeah, well eventually it will learn these optimizations at the moment you are putting more things into the custom resource for the operator The way you want to get it optimized, but your operator will learn more things over the next iterations But for now you can use the operator at some bits more to the CR and then you're good Okay Yeah, quick Other question was around multi-tenancy There are some limitations for more complex scenarios, so is there an improvements plan? We're working on that But maybe we take that offline because we are at the end of the time here We will stay here in this room and ask more questions But I would ask the people who have the questions to come to the front of to us and ask the questions here Because we are out of time Thank you very much for listening here