 Keycloak, the open-source identity and access management for modern application. Welcome to this talk here at KubeCon. We're very happy to be now with CNCF project. We, that's Keycloak. And today, I have Luishi Nakamura here from Hitachi. And I'm Alexander from Red Hat. I'm here, I'm working at Red Hat for a year now, but I looked it up. So I did my first pull request that was accepted on Keycloak, I think in 2015 or so. And then, like last year, joined Red Hat full-time, working on the Keycloak project. So, yeah, Keycloak, what is that? It's an open-source identity and access management solution. And the great thing about open-source is that you can tweak it the way you like it. You can use it for authentication, authorizing users in your applications. You can configure it interactively or fully automated. So I'm a big fan of full automation. You can bridge it to existing security infrastructures. So in a normal, I would say, enterprise environment, you usually have maybe an existing LDAP, maybe existing legacy user database, and you can connect those. You can also extend and customize it as needed. As I said, it's open-source, but we also offer lots of service provider interfaces, as we call them, where you can write your own modules, load them into Keycloak, and do the things that you need to do. And it runs and scales both in the cloud and non-cloud environments. And yeah, that's it. That's Keycloak, and I would say a very whole and good package to manage all your users and your way about your clients. So what does Keycloak do? Well, it all starts with a user here. They have their mobile devices. They have their laptops. They have their apps. And they want to access some services in the cloud. And once they do that, without an access token at first, they will be redirected to Keycloak. Keycloak will present a logging screen. And once they enter their username and password or their other message of authentication, they will then receive a token, and then they try again with token accessing the service. And the service can use that token to verify that it's really valid and find out about what the user is, then maybe has some roles, what they are allowed to do, what's their username, what's their password, not the password, about the username and the email address, all that can be then retrieved using that token. And it's all about not handing the password or credentials to the application themselves. Okay, so, and I would say you can run Keycloak with its own database. So Keycloak makes sure that all the user passwords are hashed in a secure way and stored in a database. But in most cases, you have other stores in your company that you have an LDAP, you have an Active Directory, or as I said, a legacy user database where you want to connect to, you want to pull data from it. You want to verify the passwords if they're stored in there. And Keycloak is there very flexible in this way, so because we have this user federation built in, and as, again, as a service provider interface, we can extend it as needed. So let's do a demo of Keycloak and show some things around Keycloak and, well, you eventually see a login screen like this. And the setup that we will walk through is that we have, I have everything set up on my laptop here on a mini cube, and we use the browser to serve to Keycloak interact with this login screen. We will see Grafana. We will configure single sign-on for Grafana using Keycloak. It's one of my favorite projects here at this conference. And, well, Prometheus can pull some metrics from Keycloak, so we know what's going on in there. And then Keycloak in this setup connects to a regular SQL database, in this case, a Postgres database. And, well, as we're good, I would say, we need a citizen. Keycloak is, of course, deployed using a Keycloak operator. Right. And, well, these are the moving parts that we're about to see in this demo. Yeah, let's do demo. So, signing into Keycloak, this is the login screen. And the login screen, you can, well, enter a username and password. That's the simple case. Don't tell me, I don't tell you my secret password here. And, well, you have everything you want to manage here. You have all the managed clients. You manage client scopes, rearm rows. Everything is, like, in a nice admin UI here. And, also, these rearm settings you've seen on this login screen, for example, the user registration was enabled. The forgot password flow was enabled. And, as I said, it's really a whole user management solution here. And once I disable them and I log out again, you see that these things are gone here. I can no longer register. I can no longer have my, do the service once my password is forgotten. And if I then enable it again, it's just, well, nice to configure this on the very, on the, on the, on the web UI. And the web UI, it's, there's the rest backend for that web UI and you can use the same functionality to have your fully scripted configuration of your rearms. That's also possible. There's a command line interface, what we see in a second, that allows you to do all the scripting that you want to do here. And something I use very often in test environments, you can export a rearm fully as a JSON and then recreate as many test environments from the JSON as you want and reset it at any time you want with that JSON file. So, yeah, that's, yes, I said I want to set up Grafana and what you then usually do is setting up Grafana. Oh, I did it already. So let's delete it here. We don't, and if you want to set up something, it would be tedious to do that in the command line. Let's delete it. And yeah, what I prepared, I prepared the script for this. Let's hope that the demo goes up with me. So that's the command line interface of key clock that I'm about to use. For example, what I'm about to do, I find out the IP address of my mini cube running locally. I give it some environment variables where the trust is so that TLS is no longer in my way. I then log into key clock on the command line, giving it, yeah, the user, I'm going to log into the realm. And then I can do everything I want to do here on the command line. For example, when I do that with Grafana in a second, every user needs to have an email address. So I equipped the admin user with an email address. I then set up clients. And as I want to have this item potent, I want to delete it first and then recreate it. I can also edit it like I do with the user. And I have now an adjacent file that sets up a client. In this case, yeah, all these settings, I did it once manually and then exported it from the UI. And now I can re-import it in all my environments automatically or in a scripted way. And all this, let's make this URL dynamic, the root URL, the admin URL, all these flags, how the post-blogger should work, all the things. The UI helped me to fill it out. I exported it and now I can use it in my scripts. And, yeah, so, and finally, I also here mango with the client scopes. This client scope should have enabled some protocol matters here so that the user info token claim is then enabled for the roles. Yeah. So you can really, really script everything that you want to have scripted here. And now let's do some typing here. Let's see. It's a bit tricky to do that here. Setup, refiner, and key clock. So you saw me deleting that client in key clock. So I now run my script. And once that script is done in a second, it's always taking longer when you're demoing. That client is again here. So now my Grafana is fully set up with all the URLs dynamically replaced. And now I'm ready to do the configuration for Grafana. This Grafana has a help chart for Grafana. And in the Grafana chart for Grafana, you can do all the configurations that are necessary like you want to disable the default login screen you want to do all enabled, you want to set up a sign out URL, the client secrets, all the different URLs that Grafana should use to redirect the user to exchange the code with a token to retrieve some user details. All that's also, yeah, it's partly, well, OpenID connects standards. And that's nice. On the other hand, it's also documented in the Grafana documentation site. And well, this is now all set up. I ran my home already before. And what I'm doing now is I'm going to Grafana and I'm already logged in as I'm already logged into the admin console. That's the same login, it's single turn on, right? So let's show if I sign out here. So I'm signing out. Yes, I do want to log out. And now I'm logged out and you will see that I'm also logged out from the key clock admin UI, right? It's single sign in and single sign out. And now I log in to Grafana and I'm logged in. Yeah, we should be authorized. And I go to my user details to click out down here. I see that I'm also an admin because I did some filtering here. The role attribute path is then finding out the roles of the user and then making this user admin, right? So this is all set up. And the good news is, well, I think OpenID Connect is a standard. That's nice. But there's always a lot of to learn and fields and to fiddle around that until to make it work. And the good news is about key clock that you can look into the logs, understand how that all works. Yeah, that brings me to dashboards and metrics. Let's see. Key clock provides metrics in a, I would say, Prometheus style of way. Key clock. Let's just replace the URL here at the end with metrics. Who would have guessed that? And yeah, and then you have all the JVM metrics that you want to have. So about the memory we're using, how our data source is doing in Java, how the connection pools are doing, how much time we're spending on garbage collection. If you're running a JVM, you will know that these are the things you're most interested in. Yeah, these are all there. You can add more metrics to this by enabling, for example, the metrics for Infinispan that we use internally. Those exposed here as well. And yeah, if you're an open telemetry open telemetry person, I've already ran the latest key clock version with open telemetry agent, and then you will expose metrics using open telemetry, tracing with open telemetry. And while I didn't do logs with open telemetry, but that should work as well. Right, so it behaves nicely and you have a nice observability of things going on inside your key clock instance. Especially when you're using the open telemetry, you will have metrics for each rest endpoint. So we can actually have the number of requests in each realm as they're happening. Something you might be very interested in. So how did I deploy this? Well, I can show a dashboard. So everybody loves dashboards. This is now a custom dashboard that collects all this information we saw in the metrics endpoint. For example, how many garbage collections, how many are taking place, how much time I'm spending on garbage collection, how are my connection pools doing, and how are my threads doing in my key clock. That's all very useful information. And I also did a deployment here using Helm, but there's not so much Helm, it's mostly Helmel anyway. So this is a custom resource where I tell the operator of key clock how to deploy it. I give it a host name. I point it to a database, give it a database pool, min and max size. I point it to a secret where the username and password live. And then I can have some more additional options here. For example, I want to use an output, I want to have metrics enabled, I want to have health enabled. I need to point it to a TLS secret so that's something that changed recently when you're actually forcing you to use a TLS secret when you're running a production. And then how many instances do you want to have if you want us to set up an ingress for you. And this is actually a very, very nice feature. It's called unsupported, and yes, that's it. But it allows you to override the pod template. I I struggle with operators quite a lot because I can't make them do the things I want them to do. And this is like an escape hatch so you can override the things you want to override in the pod template. So this now allows me to even if there's no parameter in this operator in this custom resource to maybe specify other environment variables, I can still add them by adding this pod template. I can tune the start-up and readiness and liveness probes as I want them. I can also maybe add a pod to do some JVM debugging or of course only in test systems, never in production. Okay, and yeah, that's the tour. So, yeah, we saw Keycloak has been deployed using operator. We configured a client and Grafana used single sign-on for that. So that's nice. So let's continue the slide show. Yeah, and I didn't touch so much on customization today, but there's the server developers guide. So you can customize the theme, so colors and what not around login and others. You can configure the login flows. For example, you can make the user confirm terms and conditions, register one-time passwords once they're logged in. Yeah, WebAltern is supported. You can also add your own required actions to that flow by adding another SPI implementation. You can create event listeners. So when you want to know if either somebody did something in the admin UI, there are events. If somebody logged in as a user, there are events. You can listen to those events and make happen whatever you want to make happen in your environment. You can also supply methods for user federations to support maybe customer attributes and connect to any customer user storage as I said. If you want to engage with our community, there are we all have everything on GitHub. There are discussions on maintenance and GitHub discussions. We have contributing guidelines for new contributors. There's also a list of community contributions on this link here on the slide. And this is already handing over to the next talk here. The FAPI, this is a potential great API security special interest group. That's one of our active user groups that you will explain that right. Little cliffhanger. Okay. So recent changes, I think I might be a bit low on time. So we moved to Quarkus 2. We have a new operator, a new admin console. We support WebAuthn. That's great. Looking forward, we're about to support our builds upon Quarkus 3. We'll have 540-2 support. We're looking to get cross DC and multi-region support into Keynote and support zero downtime upgrades. There's also going to be a new account console. As always, the details are always subject to change. Right. Cool. So that's Keynote. So authenticate authenticate your users. Configure it interactively or fully automated. Which existing infrastructures extend and customize as needed and run in both cloud and non-cloud environments. And now heading over to the second speaker of this talk. I'm Yuchina Kamura from Hitachi. I'd like to introduce Keyclocks conformance to API security profile. This is my self-introduction. I'm Yuchina Kamura from Hitachi. I'm engaged with Open Source more than 20 years. Recently I'm focusing on Keyclocks. Unfortunately, I'm not a maintainer but I'm leading Keyclocks engineer team in Hitachi and there is a maintainer Takashi Norimatsu belongs to my team. I'll introduce a feature about API security profile on behalf of him. This is as you know background, as you know APIs are everywhere now. APIs APIs are opened by various sectors and in cloud native microservices are kind of API. To open API, security must be considered because they are opened to the internet. The first step of security authorization must be considered to authorize API OS 2.0 is a default standard. This figure shows very simplified example of OS 2.0. A bank is opening API to a client third party fintech service. At first the client client service access to authorization server if the user and client is authenticated. Authorization server issues access token and the client calls API with access token resource server verifies access token if it is verified resource server returns resource like balance information. However improper implementation of OS 2.0 lead to security holds. Some attacks are known such as replay attack and CSRFR attacks if the security holds of implementation is exploited by exploited attackers can obtain the access token of a user and then call API and attacker can obtain the user's information. For high-level API security APIs are now opened by critical industry such as finance and government. For such usage a specification called FAPI security profile is getting attention globally. FAPI this figure shows very overview of the FAPI. OS 2.0 is a framework but there is a lot of freedom to implement so improper implementation lead to security holds. On top of OS 2.0 API reconnect is defined however it is not enough improper implementation is still not restricted. On top of that FAPI is defined. FAPI defines the secure usage of OS 2.0 and API reconnect across the protocol flow. This figure shows the requirements specified by FAPI. There are a lot of requirements some extra specification of OS 2.0 is is recommended like PQC and some holder key token specification is required and the strong algorithm is required. This is a sequence to call API using FAPI. The sequence is basically the same as OS 2.0 however in every request and response they are authenticated mutually mutually and for the request and response is not tampered is checked. Also in the whole protocol in the whole flow each HTTP request or response belongs to one logical session is checked by using extra parameters such as state parameter and nurse parameter and there are various security profiles related to FAPI but they are not stable or updated. Conformance tests and certification programs are provided by OpenID Foundation to prove conformance we have to pass conformance by OpenID Foundation. There is an example of security profiles in FAPI 1.0 family there are four types of security profiles in some region there are some security profiles are defined in UK open backing in Brazil open backing Brazil is specified. This is an introduction of the FAPI SIG in key clock community it is very difficult to implement security profiles because there are a lot of specifications to support security profiles and they are often updated and the configuring key clock for security profiles is not easy there are a lot to configure to prove these problems some people were interested in security profiles as they gathered in key clock community from various countries and various companies they organized a community called FAPI SIG in key clock community as there is a repository and there are biweekly or monthly web conferences called FAPI SIG you can view the past presentation and minutes in this repository everyone can join it is very open community this is the achievement of FAPI SIG major security profiles are supported developed and supported by FAPI SIG members also conformance test environment is developed and automatically executed this figure shows the result of the recent history of the conformance test result the latest key clock supports can pass major security conformance test of major security profiles it is a great achievement however API security profiles are evolving key clock should also catch up the latest standards such as standard for EKYC like OIDC for IDA and FAPI 2.0 is now defined and OS 2.1 is defined we have to catch up and help is needed if you are interested in API security profiles to support in key clock let's join FAPI SIG meeting schedule is announced in key clock developer's mailing list you can join and view the archive from this Google group thank you that's all from me I believe we have time for questions so please are there going to be a microphone then give it a start so the question was how could we improve the documentation as it's sometimes not sufficient you might see that the documentation is at the moment doing a transition there are old book style documentation and then there are some new topic based documentation it's sometimes a bit difficult to find the right one as you might have experienced but the goal is to have more topic based documentation and that really focus on the different needs and if you find something missing please open a GitHub issue if the documentation is missing that's a bug and we will handle it as a bug and update the documentation as needed thank you what about signing out users from clients is there something like this planned or in the protocol somewhere so the user is blocked or the client is blocked if I have an identity provider or a user base and I block a user in there or I delete the user if there is an automated possibility to lock those users out of client applications so so you can kill the sessions of that user that's possible depending on your setup the access token might still be valid for some seconds or minutes depending on your setup so once you block the user and kill its sessions then it's and depending on your setup maybe plus a grace period of your access tokens being expiring then they are locked out so the session has to be killed also it depends on if you delete a user these sessions are about to delete as well I believe I need to double check that but you can kill the sessions as well either automatically or manually I need to look it up in the docs okay thank you can I hi first of all thank you for this presentation but I was asking what if I don't trust okay I'll be a bit provocative I don't want is it on no no but I want people to not say to proxy request to my back end to hide using for authentication would it make sense would you just hide a layer of complexity that wouldn't add anything to the to this well if you want to hide key cloak you would hide or would miss out on that it's in key cloak like NFA yeah NFA login flows password flow registration flow so all these flows that there are you will miss out of that in this moment people will see that you're using key cloak if you're done only up there for the tokens then you could maybe have a first say that only accepts some tokens and exchange some tokens and you might look at the tokens and still see that you're using key cloak but maybe do you want to answer that or maybe this person there in the back wants to hello we use key cloak production and we mainly use a legacy open held up user store is there an easy way to migrate users to the internal key cloak store instead well you said held up or easy probably not well probably not that will be my answer you could if you find a driver developer or maybe a driver developer yourself you could do like an incremental migration if you want to do that so once they're logging in you're importing that one user that's logging in and I believe I hope I'm not saying anything wrong here that it should be possible to write a user provider that does that like user logs in it's going to be imported and then maybe scrapes or deleted from held up at the moment yeah thank you that's the root which we're looking at and then maybe like do the last import at the end and by the way we have some stickers that talk is really over you can grab a sticker up here we have about five minutes I got this mic so just asking this question you show the helm chart where you were deploying a key clock from so is this helm chart publicly available somewhere can we contribute to it because we currently using our own one yeah so the helm chart you've seen is publicly available it was on the links and all the links are in the slides and the slides are on scat but it's a helm chart I wrote just for this demo okay so there is no official key clock helm chart currently the community has a helm chart provided I think maybe the people from CodeCentric have one yeah but it's not but then collaborate on that I think they're willing to take contributions on that thanks we're using key clock in development for now we've been evaluating it and planning to use it in production so our service is multi-tenant so we're using a lot of realms or for every customer we'll be using a specific dedicated realm but we've also we didn't do the test ourselves but we've read that there is a scalability issue with an increasing amount of realm speaking about a couple of tens or at 100 then the dashboard for example the key clock UI loads very slow or slower and slower and a pattern man maybe or even the authentication flows themselves so I said we didn't test it ourselves but we've seen issues related to that do you have any updates on that? I can confirm that the admin UI is slow with lots of realms there are some it's not solved yet that's true there are some workarounds around that that if you don't have an admin or master realm that manages all the other realms that you can like decouple your realms but that might be controversial or that might not work for your setup put it this way but if you like remove the connections between of the new customer realms to the master realm then you might be able to scale a bit better but we can discuss that after the talk if you want to but if you think that there is an issue please vote for the issues you found on Gito on this one sure and maybe we also using a key clock for federation with multiple open ID connects identity providers merely for massaging the claims but we have there are some it seems like a key clock insist of storing a user in its own database because the session is tied together with the user even though that there are no actually need for a user concrete user in our case so we ended up making a plugin that actually deletes the user after a while is there any plans for making like a transient user that would expire after a certain period of inactivity that makes sense there have been discussions around that around the new store that is then about to land eventually some time out for all the entities that there are that they can eventually expire but we're not there yet so the solution yet proposing might be a good one okay hi thanks for your presentations and your open source work in general I'm using the key clock operator the Quarkus one for I don't know a few months now at the moment you only support the realm import CRDs to create realms and according to documentation like you expected to drop lifecycle management of users and realms in general in key clock 21 I guess which is already out and it's postponed but there's no information until until when and do you generally plan to support the full management cycle of realms like even deleting once once the CRD for the realm is deleted yeah so maybe to extend the question a bit so at the moment it's you have the new operator that doesn't support the things you mentioned like users and clients for example and the current suggestion is to use the old operator to do that at the same time there have been ideas around that saying with a new store based on that that you can have a file based store for realms for clients for users for key clock and we're currently working on that so one of the ideas is and preferred way to do that for the maintainers as I understand it or not a maintainer I'm only a developer so the preferred way would be to release that would feed them into a file based say re-on layout and once they feed in there also deleting those would delete this as well from that file store so that's the general world we're taking but I can't tell you when it's gonna be arriving okay thanks hello so I pretty much had the same question so we upgraded to the latest key clock operator and if you change in key clock it's not back ported to the new key clock realme import custom resource and we can't overwrite existing realms but we changed the code so that it's possible and are there plans to change that in the future with but you explained with the file based with the file based store that would be possible so you can have the file based store that's on the horizon eventually a little bit behind the horizon so that you can have that file store in read write mode so you can go by the UI and change the user and then it's gonna be written to the file or you can have it in read only mode but read only users are a bit of a tricky thing right so even if you're logging in you might have a failed password count that you want to upgrade so it's a bit of a having read only entities has some edges that are quite difficult so yeah thank you let's close this session officially we are here for for all week and please gather here at the station if you want to pick up some stickers I also have some cue cards with facts around key clock if you want to convince a colleague or manager