 Skupaj, lebov. Što mi je zelo, je to neki potečno prejavno. Svej je neki, kako začali o Kiklok? Potečno. Nekaj nekih nekaj, ki so nekaj način, ali možemo neki. Tako, najbolj pošličim, da jim dokega prejevno prejavno in zelo se, če je to? Tudi je vse pripunetjega za vse izmaženji. Zelo sem tukaj na vse na draženja. Fibršanje je, da narednje obršnje navokas prehodski vs. na weedični ostat. Ne plumetje, ki vse je tukaj u padu teželji vse magam, ki se naredno vse odlega. And SSO, or single sign on, means that you can point more applications to your KeyCloak server. And when you open your first application and this application redirects to KeyCloak SSO and user provides his username and password, then after he opens second application he is automatically locked in and he doesn't need to add his username and password again. Single sign out is kind of the same thing, but for logout, so when you logout from one application in your browser you are locked out from the address as well, and everything is based on standard protocols like OpenID Connect and Summer2, Out2, and UMA. So all the exchanges and messages between the browser and between client application and KeyCloak server are standardized. Identity management is a very important part of the KeyCloak because KeyCloak has a database which is able to store all the metadata about users and roles and clients. So basically when you have traditional application, when you develop all the security by yourself you usually need to develop login forms when your users need to provide username and password and you need to implement storage for users so that you have database where your users are and you need to care about all the things like password hashing and when you want to add some more things like registration of users or things like forget password link on the login screen you need to have lots of things to implement and if you use KeyCloak then all of those things are available for free for you. KeyCloak also has lots of UIs so admin console allows to easily manage your users and other metadata. Account management is useful for end users so they are able to see their profile and they are able to edit their passwords or other credentials like TOTP for example and we of course provide login forms and optionally things like registration forms or those things like reset passwords and so on and there are much more cool features like KeyCloak can be integrated with social providers like Facebook, Google or Twitter so that you delegate authentication to those providers. It's possible to integrate with any other OpenID Connect provider or some other provider. It's possible to point KeyCloak so that it can provision users from LDAP or SSSD. There is support for TOTP or Kerberos authentication. There is support for Teams which allows you to customize login forms so that you can add your own CSS and events are for monitoring and there are lots and lots of other things. But like one of the most important things is how you actually secure your application and what is helpful here is KeyCloak adapter which basically is client side implementation of the OpenID Connect or some specification and you usually don't need to quote anything in your application. You just need to provide configuration of KeyCloak adapter and usually add some dependencies or something based on the adapter implementation but typically it's very easy to integrate your app with KeyCloak and for adapters we have adapter for Javascript application, we have adapter for like server or web applications deployed on Valkyrie, JT or Tomcat. There is Fuse adapter, Node.js adapter, a server filter adapter. There is Spring Boot and Spring Security adapter which I will show in the demo and we have also generic adapter like Gatekeeper which can be used for any other kind of web application. So this picture shows how OpenID Connect flow looks like. The most important part here is that when user opens browser and wants to access any application, the application just directs to KeyCloak server and after user authenticates on KeyCloak side then there is some other handshake but in the end application will receive ID token and access token which is signed by KeyCloak server private key and then it can verify, like later in later stage that this token can be verified by public key. So typically those like frontend applications are accessing some REST services and they can access them with the access token which was signed by KeyCloak and the service which is also secret by KeyCloak can just read the token in REST HTTP requests the token are sent in the HTTP header and so service can just read it and it can verify the signature on the token and it doesn't need to communicate with the KeyCloak server itself so it's also very good from the performance perspective. The only thing needed is that at the very beginning the service needs to download the public key from KeyCloak but then it can use it for verify thousands of tokens and there is also possibility that service will always verify token but like online verification but that's not so performant. So in next step I will try to show some simple demo of KeyCloak. So I have already KeyCloak running so I will just restart it and I will run it on port 8180. So if you want to try KeyCloak by the way it's very easy but you just need to download KeyCloak server from the KeyCloak home page and you need to unzip it and that's all. So if you want to try some playing with it it's usually a question of few minutes or you need Java but that's really the only requirement so it's really, really easy to setup and at this moment I can open admin console of KeyCloak and I will login as the default user admin and at this stage we can see that there is admin interface where I can look at existing users so at this moment I have just one user admin but what I will do now is that I will add new realm realm is something like abstraction for handling set of users and set of client applications which will be able to share same SSO session so simply said and I will import new realm from JSON file so one of the great things on KeyCloak is when you preconfigure your realm with all your data and users, clients and so on you can just export it into JSON file and then you can import it from this JSON file later which is good if you need to migrate between different environments like from stage to production and I have realm which is called cars and I have imported it from the JSON file and I have few simple users here like user Alice and she is member of some roles like there is a role called user which is important and clients are something like abstraction for client applications so I have client called cars app which represents my application which I will later show and there are some meta data which needs to be configured on KeyCloak site for that client like the value to redirect to this for example where KeyCloak will redirect after the authentication is finished and so on and the cars service represents like rest service which can't itself start the authentication but it's able to receive better tokens which are sent to it from the application which may be cars app and in the IDE I will probably switch it to presentation mode so in this IDE I have two apps sorry so app and service and so the service is just rest service and only thing which I needed to do and it's spring boot it's spring boot rest service so it has application properties configuration file and here I just need to add few things few meta data about KeyCloak like point the service to the KeyCloak server and to my realm and to cars service is name of the client on KeyCloak site there is also client secret which is used for secure communication between client application and between the KeyCloak server and here those security patterns security constraints are like typical for JEE server applications so basically when I want to access anything under cars I need to be in the role user and I need to have some dependency on KeyCloak spring boot starter in my POM XML and that's all which I need to have in my app for my service for the app it's similar I just have this configuration in application properties and this app is it represents frontend application and it uses spring boot and spring security so it has also this bin and security constraints are configured here so it also requires role user to be accessed so I will just run my service and my app I am just running it from IDE I hope it will start fine and I will open my app on this URL and it was on port 8080 and you can see that I was directed to the login screen which is KeyCloak login screen so this login screen is provided by KeyCloak server and when I put some username and password of user Alice I need to also confirm the grant screen this is optional thing that if I configure like consent required on my client it means that this consent screen will be shown to users and user basically needs to grant some permissions to client application that it can access his email and his profile and some other things there are lots of similar fine grade configurations if you want some customizations but for basic integration it is really very easy to try it and now I can see that I am successfully authenticated and this informations about user like username, email and name are provisioned from the token which was sent by KeyCloak and it contains some metadata some data about users and some other metadata like informations about his roles and with this I can send rest requests to service and I can... my service is able to create new cars and ask for existing cars and delete cars and it provisions also pictures of cars so I can look at this nice snowplow for example and when I logout and login as different user JDo I can also create some cars but I have also access to all the cars which were created by Alice because there is basically no fine grade authorization so all users which have role user are able to access everything right now so in next step we will try to look at the fine grade authorization capabilities which KeyCloak provides and it's quite new thing like KeyCloak is mainly now for providing authentication but we recently added also authorization support and the idea behind it is that we want to decouple authorization from services and from applications as much as possible there is also aim to have dynamic access control model we also want to be stick on standards like OpenID Connect and UMA and there is also aim to have privacy support and things like enable sharing of resources between users so for example users are able to share their documents or their photos with other users and we want to achieve all of this with ideal performance and ideally with not so much requests needed to be sent between KeyCloak server and the service and applications so the command authorization approach is usually role-based or group-based authorization so for example when we want people managers to be able to access information about any employee you usually in your application ask if an authenticated user is in a role like people manager this is sufficient for lots of the applications but for many others it may not be so nice because for example when there is some change in the business requirements the role-based authorization may not be sufficient basically for example you may want that some user is not able to access salaries anymore but you still want him to be in role-people manager because this role is used for many other things in your application and here you have an issue and because your authorization based on roles is not fine-grained enough so the proposal is to rather focus on things which user can do and on the resource which he wants to access so for example instead of do checks based on roles we will ask if user is able to do some action like access salary of employee or if user is able to change salary of some concrete employee John Doe so basically when x can do y on z the x is in key-clog authorization model the x is user which wants to do something y is action which is called authorization scope and z is resource so in the example above is something like this employee salary and policy is the actual implementation of the authorization rule which can decide if access is granted or not and permission is basically like binding between resource and scope and between the policy and final result is evaluation this is not part of the model but evaluation is important to decide if access is granted and more policies can be added to permission so the overall architecture looks like this it looks a bit tricky maybe but it's quite easy in the end so when we have client application which accesses resource server resource server is basically rest service there is usually policy enforcer which is deployed together with the resource server so it's typically part of key-clog adapter and this policy enforcer checks if authorization requirements are met and it can invoke key-clog for this and key-clog provides some less APIs like authorization API and protection API authorization API is for doing authorization decisions and protection API is for managing resources and permissions and other objects and administration is possible from key-clog admin console but lots of things are accessible through rest API and key-clog also provides storage for all the metadata like resources, scopes, permissions and policies and evaluation engine that is able to decide if access should be granted or not so for configuration of fine-grained policies basic configurations you need to create some policies and resources scopes and permissions on key-clog server side and on the service side on the adapter you need to have policy enforcer so I will try to show this so my basic service which at this moment doesn't use fine-grained authorization so I want to add some more fine-grained authorization for specify that just some so I want to have fine-grained authorization for creating cars right now so the first thing which I need to do is to enable this authorization switch on my car service and when I save it I have new tab called authorization and here I can add some resources for example so this default resource is always created by default when you create when you enable authorization for your service so I will create new resource called car resource which will represent car and so this play name will be car resource as well type is not mandatory so URL is not mandatory but I will use cars because my service is listening under cars and scopes are actions so I will need to create some authorization scopes or action which I want to do with cars so I want to be able to have scope for creating car and for example also for viewing car and I want to add those scopes to my car resource and yeah so I have now resource and scope and I need policy which will be able to decide so by default there is default policy here which is based on javascript and I will for policies we have lots of implementation of various policies like role based policy it's really maybe simplest one and it just checks if user is in if user is member of some particular role so I will just start with this one and I will specify that user needs to be member of admin role to pass this policy and I need to create permission which is the last thing and so I want to specify that for creating cars so I need to use car resource and scope car create so creating cars will be possible just if user is admin so I bind admin I associated admin role policy with this permission and evaluate app is very great because I can check if my authorization rules works as expected so I will try to check if user admin is able to access car resource or to create car and here I can see that it's permitted nice but if I try different user like Alice for example it shouldn't be permitted of course because Alice Alice is not member of the admin role she is just member of user role so at this moment when I go back to my application and I will log in as Alice I am still able to buy new car because I didn't configured the policy enforcer which is needed on the adapter side so it's this application properties file and I will just uncomment policy enforcer it's not so hard to write it by hand but you know during presentation it's safer to pre-configure it so this configuration specify that when the rest service is accessed under this URL like cars create then the car resource and car create scope will be used so policy enforcer will basically check if user is able to access car resource and the scope car create and this permissive switch on policy enforcer means that just the URLs which are specified will be checked by policy enforcer but the address which are not specified won't be checked by it so for all the other things like viewing car and deleting car it's still possible to do it just for simple users which are just in the low user and I need to just restart my service and when I click create car right now it's not possible anymore but admin user should be still able to do it yeah it works so he was able to create that Ferrari or that Mixel that's nice so we saw just basic policy but there is also possibility to use more tricky policies so javascript based policy is very powerful time based policy is very nice for demo purposes because we can for example specify that some action is possible just at 25 days of the month which is today so if I specify it like this and I will add this new policy to permission then yeah so decision strategy unanimous means that both policies needs to be met so that overall decision is approved so you can think of unanimous like logical condition end so user needs to be admin and action needs to be done on 25 days of the month like affirmative is like all so if I use affirmative it would mean that user needs to be admin or it needs to be 25 days of the month so on 25 days it will be possible for everyone to create car but that's not what I want you mean here? I think that I need to type first character or I can yeah I think that yeah you need to know at least first character it's something which is yeah it's like if you don't know it it's maybe not so intuitive maybe but in most of the cases you usually know this so it's like maybe there are some possible improvements of UI but I'm not sure to be honest I'm not expert on UI so for me it's just fine but yeah so if we retry it we can see that admin is able to create car because both policies vote to permit and if I change so it should be still possible for admin to create car but if I change the policy and I will change it to for example 24 days of the month then yeah it's not possible anymore and admin can create new car so I will change it back and it will be possible to use both 24 and 25 and admin should be able to create new car yeah so we can see that without changing anything on the application side but just changing the policy the authorization rules is immediately like updated immediately applied so in next step I will try to show like user managed access or UMA which is like very nice extension of the authorization capabilities provided by Keycloak and main message behind it is that users are able to share resources with the other users and part of this is also asynchronous authorization so typical use case for asynchronous authorization is that J.Dow wants to access some pictures of user Alice and he doesn't have yet permissions to access them so he just send request to Alice to be able to see her pictures and Alice is notified about this request so she just approves it and J.Dow can now access Alice pictures and anytime Alice can decide and revoke access to her pictures so you probably know this use case from applications like Google Drive when you can share your documents with other users and if someone sends you a link and you don't have permission to access any document you click to something like request access and the owner is notified about this and he will grant you access so with this it's basically easy to or much easier to add some capability like this to your application secured by Keycloak so one related thing to this is RPT token which is basically access token with permissions and it can be used by frontend application to send requests to services which are protected by policy enforcer and then the policy enforcer is able to just verify permissions inside this RPT token so in previous demo we didn't use this RPT token so the frontend application sent just normal better tokens to service and service policy enforcer needed to always send request to Keycloak to verify if access should be granted or not it's good that you were able to see that it worked in real time but the performance of that is not so great so with this RPT token usually better performance because when you repeatedly want to access any resource the permission is already in the RPT token so service is just able to grant this and in case that the permission is not in the RPT tokens then the UMA ticket is sent from the service to the application and application is able to exchange this ticket with existing RPT token to Keycloak server and if Keycloak server decides that access should be granted then it will send new RPT which will contain all the old permissions and new permissions as well so it's something like incremental authorization when the RPT tokens contains just those permissions which are needed and which were asked by the service and Keycloak provides restful APIs so authorization API is useful for managing for obtaining those RPT and protection API is used for managing resources and those things like permission tickets so if you want to have to use this fine grade authorization you actually may need to add some code to your application because for example when you car or new photo or any other resource then usually you need also to create resource on the Keycloak server side so that Keycloak is able to later associate ACLs with this particular resource so if you want to being able to share a single photo or single car you need to have resource per car and otherwise if you want for example share album you may need to have resource just for album so it's like usually it's some tradeoff between how fine grade your authorization need to be so in the demo I will so I will stop the service end up and I will just I will just try to switch to different branch when I have when I have ok so so I will just check out to some different branch when I have already someone more in UMA in UMA integration code done in my app so in this case I also have things like when user creates car there is resource created so Keycloak has admin client I will probably just so Keycloak has admin client written in Java like create new resources or delete resources as needed but everything is available through the rest API as well and those APIs are documented so it's useful for from any language and now in so in admin console I will just delete my realm and I will create new one because the JSON file in my new branch contains some more fine grade configuration of the policies and now you can see that I have permissions so creating car permissions creating car is possible for any user but like being able to view car or view detail of the car is possible only for owner and administrators and this policy only owner and administrator policy is like aggregated policy and it contains of two other policies so it's affirmative so it's like or so if user is owner he can do everything and if he is administrator he can do also everything so one of these conditions needs to be met and any admin policy or administration policy consists also of two policies like any admin policy just checks if user is admin but there is also a requirement that admin can access key clock from specific IP address so there is javascript policy used here and as you can see javascript policy is very flexible you can check for things like IP address and only owner policy is also based on javascript and in javascript you have access to some properties like identity which means authenticated user and resource is the subject of the policy and here we check if owner of the resource is equivalent to identity so that's the configuration key clock side and on my upside I will just run the service and application and I think that now when I log in as service for example I am able to create new car and in RPT token we can see that it contains just permission for creating car but when I ask to view details of this like nice Volkswagen transporter hippies bus I can see that RPT token contains some more permission because like policy and force created ticket and RPT token now edit key clock grant me permission for viewing this new resource but when I click this again there is no no need to send another request from service to key clock because the access is already granted and point of UMA is that management of key clock when users can read a profile and for UMA they can also share their resources with other users so I will for example just share like this Volkswagen transporter bus with the JDO user and now when I log in as JDO I am able to create my car but I am also able to view this view I am not able to I am just able to list it but view details is different scope so I need to ask ask Alice if she can grant me the access for viewing details and when I log out and I log in again as Alice in her account management she can see that JDO ask her to being able to view the hippies bus so if she approves it the user JDO should be now able to view this bus so as you can see you can do lots of other things with this and I think that's all which I have there are some additional questions if you want to try Kiko or access this demo or if you have any general questions you can look at Kiko who is the mailing list or at my mail and do you have any questions yeah you choose to create the key but without having to store yeah so can you repeat yeah yeah so it's possible regarding this authorization it's possible to have authorization based on users or based on user attributes as well and in general in account management users can edit some simple attributes of themselves and this page is customizable so you can add some more things for example address of user or phone of user is this what you mean to having more claims or attributes of user so what users can do is that they are usually not able to manually create the tokens or something like that but it depends on what application allows them so I think that probably not like when you are creating tokens is not anything which is directly permitted because you usually need other things like client credentials and so on so tokens need to be created on behalf of the client as well but not sure maybe I misunderstand your question sorry but we can discuss maybe after this session any other questions how often does the application need to acquire a key clock to get the info about user's permissions so the life cycle is configurable and it's configurable usually paired realm but can be specified on clients as well but on the realm it's not for the values things because as we have the values use cases like we need to add more and more timeouts but the most important for this use case is access token lifespan which is 5 minutes by default so the RPT token is also valid for 5 minutes so for example if some permission is granted in RPT after 5 minutes the RPT token always needs to be recreated and because it's usually tradeoff between changed authorization criteria and the performance if you want to have something like online performance which we used before in the second demo we may not need this RPT at all but then your service will always need to query key clock and if you use timeout like this it can happen that there is some stale info in the RPT token and the authorization shouldn't be granted anymore but it's usually just for a few minutes so like 5 minutes is a very good tradeoff for most of the applications and OpenID Connect in general have support for the refreshing tokens so usually after each 5 minutes the token can be or is refreshed but if the session is not valid anymore the refresh won't happen and also things like those will be will be like always refreshed so I think that's all and I'm sorry we're out of time but if you have more questions I will be around so we can discuss later if you want so thanks everyone for watching