I am planning a new microservice project. Single microservices are REST-APIs, the user should authenticate himself with JWT. I want to use the LexikJWTAuthenticationBundle for implementing JWT.
How can I make sure that the token is validated correctly on different servers?
Don't do distributed authentication, make one server be the auth server which the other servers send the token to for authentication. You can cache the authentication for a (short) period of time, but the data-of-record for the JWT token should be centralized so that if it is invalidated it is invalidated everywhere.
Related
So I want to deploy a client-app (java, with spring security, if that matters) to different companies. The keycloak will obviously run on servers of my organization but the client-app as to run on the servers of the client-companies.
Should the keycloak-client's access type be public or confidential?
i.e. what is the client-secret used for? (Encryption)?
Is it therefore a problem if the companies admins can theoretically read the secret by decompiling the jar of the client-app I give them?
Concerning the valid redirect URIs: Idealy I would like to use grant-type: password, so the user of the company enters his credentials into the frontend of the company deployed client-app and it logs into keycloak. Potentially the client-app deployed in the company is only reacable from the company intranet.
What can the redirect URI be for this case?
Should the keycloak-client's access type be public or confidential?
From the RFC 6749 OAuth 2.0 specification one can read:
confidential
Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
restricted access to the client credentials), or capable of secure
client authentication using other means.
public
Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the
resource owner, such as an installed native application or a web
browser-based application), and incapable of secure client
Since you are not using a pure web-browser application, or a mobile phone, but rather a web application with a secure backend, you should use a confidential client.
i.e. what is the client-secret used for? (Encryption)?
From the Keycloak documentation:
Confidential clients are required to provide a client secret when they
exchange the temporary codes for tokens. Public clients are not
required to provide this client secret.
Therefore, you need the client-secret because you have chosen a confidential client. The client-secret is used so that the application requesting the access token from Keycloak can be properly authenticated. In your case, the servers from the companies (using your app) requesting an access token from Keycloak. Consequently, Keycloak has to ensure that the server making the request is legit.
That is the purpose of the client-secret. It is similar to when you go to the ATM and request money, the bank knows that you are the owner of that resource (i.e, the bank account) if you have inserted the correct code (i.e., analogous to a client-secret).
Is it therefore a problem if the companies admins can theoretically
read the secret by decompiling the jar of the client-app I give them?
The client_secret has to be known by the application requesting the token (i.e., the company) and the authorization server (i.e., Keycloak). So in theory, if the companies do not mind their admins having access to such information, it should be fine for you. At the end of the day, the client-secret has to be known by both parties anyway. A way of mitigating potential problems with the leaking of client secrets is to change client-secrets once in a while, and communicate that change to interested parties.
As long as one company cannot reverse engineer the client secret of the other company you should be fine.
What can the redirect URI be for this case?
It should be the URL of the frontend leading page of the company deploying the client-app, after the user has been successfully authenticated.
Bear in mind, however:
You should take extra precautions when registering valid redirect URI
patterns. If you make them too general you are vulnerable to attacks.
See Threat Model Mitigation chapter for more information.
(source)
I'm building a microservice based REST API and a native SPA Web Frontend for an application.
The API should be protected using OAuth2.0 to allow for other clients in the future. It should use the Authorization Code Flow ideally with Proof Key for Code Exchange (PKCE)
As I understand it I need to run my own OAuth Auth Server that's managing the API Clients and generating access tokens, etc.
Also I need my own Authentication/IAM service with it's own fronted for user login and client authorization granting. This service is the place the users login credentials are ultimately checked against a backend. That last part should be flexible and the backend might be an LDAP server in some private cloud deployment.
These components (Auth Server and IAM servicve) are outside of the OAuth scope but appear, correct me if I'm wrong, to be required if I'm running my own API for my own users.
However creating these services myself appears to be more work than I appreciate besides the obvious security risks involved.
I read about auth0 and okta but I'm not sure if they are suited for my use case with the application potentially deployed in private cloud.
I also thought about running Hydra (OAuth Server) and Kratos (IAM) by ory but I'm not sure if this is adding too many dependencys to my project.
Isn't there an easy way to secure an API with OAuth that deals with the Auth Server and the IAM that's good for small projects?!
I want to access the kubernetes dashboard and the API using an already existing openid connect session (apache reverse proxy with mod_auth_openidc + WSO2 identity server). Unfortunately, kubernetes requires an id_token as a bearer token (signed JWT), which is quite hard to obtain by just having the session cookie from mod_auth_openidc module.
My problem is the following: When I call the the OIDCInfoHook with the id_token configured (the reverse proxy callback_url like http://service.domain?json=info), I just get the unsigned id_token token, which is useless for kubernetes authentication. Calling the info hook with the refresh token configured I can retrieve successfully the refresh token. With this token the identity server (WSO2) returns the id_token, a new access token and the next refresh token. Unfortunately, the mod_auth_openidc still has the old access_token and I need to map to the new the id_token to the old and new access token. Although it works after a fresh login, optaining the id_token doesn't work anymore after the session timeout (3600 s). In this state, I have to delete manually the session cookie in order to get a new login prompt.
I have two questions:
Is there any other possibility to use oidc authentication with kubernetes that does not rely on the id_token, i.e. using one the openid connect flows as described in the spec? According to the openid connect spec, the id_token should not be send around and this method seems not to be one of the openid connect flows, I guess.
Is there any other best practice way to integrate kubernetes into an existing openid connect based single sign on environment?
The common SSO solution for this kind of problems is to use Kubernetes OAuth2-Proxy, https://github.com/pusher/oauth2_proxy. You could either run the proxy in an ingress or in a side car container. If you have istio, you could also integrate Istio with your openid conenect provider.
I understand that keycloak has built-in clients and we add the users later on.
But in general, what is the difference between a client and a user in Keycloak?
According to the Keycloak documentation
User - Users are entities that are able to log into your system
Client - Clients are entities that can request Keycloak to authenticate a user. Most
often, clients are applications and services that want to use Keycloak to secure
themselves and provide a single sign-on solution. Clients can also be entities that
just want to request identity information or an access token so that they can
securely invoke other services on the network that are secured by Keycloak
In short words, not only for keycloak but for OAuth and OpenId Connect too, a client represents a resource which some users can access. The built-in clients for keycloak represent some resources for keycloak itself.
Clients and users are two completely different constructs in keycloak.
In plain English, client is an application. Example for an application could be a e.g. yelp.com or any mobile application. Client can be a simple REST API. Keycloak's built in clients are for keycloak internal use, But any user-defined application has to be registered as a client in keycloak.
Users are the one which authenticate via keycloak to gain access to these applications/clients. Users are stored in keycloak DB or any externally hosted LDAP but synced with keycloak.
I've got a site acting as an Identity Provider (IdP) for Single Sign on and another 2 service providers that authenticate against it using SAML 2. At the moment, both service providers use the same certificate to validate the SAML response from the IdP.
I've now got a 3rd Service Provider joining shortly and I wondered whether I should really be issuing separate certificates to each party so that we could potentially revoke their access, if required, without affecting the other Service Providers? What approach have others taken and why?
I'm using SimpleSamlPHP as the IdP.
As I understand, what you want is to be able to revoke SSO access for one SP but not all.
I would think this should not be done by revoking certificates but rather by removing the metadata from SimpleSamlPHP.
The problem with this is that the certificate information is in the IDP metadata that is sent to the SP and the metadata normally only allows for one certificate for one task (can be different tasks e.g. for signing and encryption).
Coming back the other way e.g. signing the SP Authn request, all the SP's can have different cetificates or they can share.
Some products e.g. ADFS 2.0 before Rollup 3 do not allow SP to share certificates.