keycloak bearer-only clients: why do they exist? - keycloak

I am trying to wrap my head around the concept of bearer-only clients in Keycloak.
I understand the concept of public vs confidential and the concept of service accounts and the grant_type=client_credentials stuff. But with bearer-only, I'm stuck.
Googling only reveals fragments of discussions saying:
You cannot obtain a token from keycloak with a bearer-only client.
The docs are unclear as well. All they say is:
Bearer-only access type means that the application only allows bearer token requests.
Ok, if my app only allows bearer token requests, how do I obtain this token if I cannot get it from Keycloak using client id / client secret?
And if you can't obtain a token, what can you at all? Why do these clients exist? Can somebody please provide an example of using this type of client?

Bearer-only access type meaning
Bearer-only access type means that the application only allows bearer
token requests. If this is turned on, this application cannot
participate in browser logins.
So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why keycloak documentation also mentioned bearer-only application will not allow the login from browser.
And if you can't obtain a token, what can you at all? Why do these clients exist?
Your client can't be set as bearer-only on Keycloak Server. You can
still use bearer-only on the adapter configuration though. Keycloak
doesn't allow "bearer only" clients (when setting up your client on
the server) to obtain tokens from the server. Try to change your
client to "confidential" on the server and set bearer-only on your
adapter configuration (keycloak.json).
So if you understand above statement then if you have two microservice which are talking to each other in the case, caller will be confidential and callee will be bearer-only
And Keycloak also mentioned
Bearer only client are web service that never initiate a login .It’s typically used for securing the back-end.
So if you want to use any adapter you can use bearer-only depend on the need
EDIT-
Lets go in more details ..Let see one example i have a web-app and one rest-api for web-app i am using React/Angular/JSF any front end technology and for back-end i am using Java based rest-api OR Nodejs.
Now for above requirement i have to secure both the products(web-app,rest-api) so what will be my work of action? How will I secure both the apps through Keycloak?
So here is details explanation
I have to create two client inside a realm in keycloak
Client A will be use by web-app
Client B will be used by rest-api
So now question will be why two client?
For web-app we want to force user to login via GUI then only generate the token
For rest-api we dont want GUI based api as these api consume by web-app but still secure the access to rest-api.
Now Go to Client A and make its Access Type public client so web-app will ask to login via keycloak GUI or your login page then generate the token
So same token which generated in above step used by rest-api and according to user role and other information data will fetch. So Access Type of Client B will be bearer-only so web-app generated token is passed to rest-api and it is then used to authorize the user .
Hope it will help. Someone want to add more he/she free to add.

Short answer: you can't obtain an access token using a bearer-only client, so authentication flow configuration is irrelevant, but keycloak may still need to know such a bearer only client to manage role / or audience
More details
bearer-only clients usefully represents back-end applications, like web service, called by front application and secured by the authorization server (= keycloak)
Backend / Web service application are not called directly by user, so they can't play in the Oauth2.0 user interactive flow. Setting "bearer-only" document this fact to keycloak server, allowing administrator to configure client without otherwise mandatory values (example redirect uri…) and allowing usefull error messages if someone trying to obtain a token for such a client
However, this doesn't mean you cannot configure specific roles for this client: so it need to appear in keycloak realm.
In addition bearer-only client need to verify the received access token, especially, if this (recommenden) adapter feature "verify-token-audience" is activated, bearer-only client need to verify that the access token has been issued for it: the bearer-only client must be in the audience attribute of the access token:
see https://www.keycloak.org/docs/latest/server_admin/index.html#_audience
for audience managing by keycloak, bearer-only clients needs to be registered in keycloak realm.

In my understanding, it is used when you have some internal service.
Let's say you have ServiceA and ServiceB. A user calls ServiceA which in hand calls ServiceB. ServiceB is never called by the user directly, only by other services. ServiceA will get a token using the user's credentials. And then will use this token to call ServiceB. ServiceB will never initiate a login. It will just use the token to verify permissions.
In this case, ServiceA will be confidential and ServiceB will be bearer-only clients.

An other idea why bearer only clients exist could be that client are misused for role containers sometimes, see the following discussion on the Keycloak User mailing list https://lists.jboss.org/pipermail/keycloak-user/2016-April/005731.html
E. g. the default client "realm-management" is a bearer only client, that contains roles to manage things in a realm. There is no need to invoke a login on a client like this, so public and confidential doesn't make any sense.

Related

Authorization code grant type for service to service communication

I have two services: Service A and Service B
I have a central Identity Server that issues and validates tokens.
I need some of the resources of Service B to be accessed only by Service A.
How do I validate the audience, or how do I make sure that for ex.
the client credentials token of Service A is valid when calling
Service B, and tokens from other services are invalid.
Is it a bad practice or are there any issues in using authorization
code grant type for service to service authorization ?
When you issue a token for client credentials, then the subject of that token should be Service A. It will either be in the sub claim of a JWT (if you use JWTs for access tokens), or you will be able to get that information from an introspection endpoint (if you use opaque access tokens). Service B can use that information to reject any request with tokens where subject is not Service A.
Authorization code grant type assumes there is a resource owner (a user) and a browser available. It looks like in your case it will be impossible to implement authorization code flow, as you have two services talking directly to each other. Anyway client credentials should be enough for your needs.

OAuth2.0 Auth Server and IAM

I'm building a microservice based REST API and a native SPA Web Frontend for an application.
The API should be protected using OAuth2.0 to allow for other clients in the future. It should use the Authorization Code Flow ideally with Proof Key for Code Exchange (PKCE)
As I understand it I need to run my own OAuth Auth Server that's managing the API Clients and generating access tokens, etc.
Also I need my own Authentication/IAM service with it's own fronted for user login and client authorization granting. This service is the place the users login credentials are ultimately checked against a backend. That last part should be flexible and the backend might be an LDAP server in some private cloud deployment.
These components (Auth Server and IAM servicve) are outside of the OAuth scope but appear, correct me if I'm wrong, to be required if I'm running my own API for my own users.
However creating these services myself appears to be more work than I appreciate besides the obvious security risks involved.
I read about auth0 and okta but I'm not sure if they are suited for my use case with the application potentially deployed in private cloud.
I also thought about running Hydra (OAuth Server) and Kratos (IAM) by ory but I'm not sure if this is adding too many dependencys to my project.
Isn't there an easy way to secure an API with OAuth that deals with the Auth Server and the IAM that's good for small projects?!

SSO to kubernetes with mod_auth_openidc session

I want to access the kubernetes dashboard and the API using an already existing openid connect session (apache reverse proxy with mod_auth_openidc + WSO2 identity server). Unfortunately, kubernetes requires an id_token as a bearer token (signed JWT), which is quite hard to obtain by just having the session cookie from mod_auth_openidc module.
My problem is the following: When I call the the OIDCInfoHook with the id_token configured (the reverse proxy callback_url like http://service.domain?json=info), I just get the unsigned id_token token, which is useless for kubernetes authentication. Calling the info hook with the refresh token configured I can retrieve successfully the refresh token. With this token the identity server (WSO2) returns the id_token, a new access token and the next refresh token. Unfortunately, the mod_auth_openidc still has the old access_token and I need to map to the new the id_token to the old and new access token. Although it works after a fresh login, optaining the id_token doesn't work anymore after the session timeout (3600 s). In this state, I have to delete manually the session cookie in order to get a new login prompt.
I have two questions:
Is there any other possibility to use oidc authentication with kubernetes that does not rely on the id_token, i.e. using one the openid connect flows as described in the spec? According to the openid connect spec, the id_token should not be send around and this method seems not to be one of the openid connect flows, I guess.
Is there any other best practice way to integrate kubernetes into an existing openid connect based single sign on environment?
The common SSO solution for this kind of problems is to use Kubernetes OAuth2-Proxy, https://github.com/pusher/oauth2_proxy. You could either run the proxy in an ingress or in a side car container. If you have istio, you could also integrate Istio with your openid conenect provider.

Keycloak client vs user

I understand that keycloak has built-in clients and we add the users later on.
But in general, what is the difference between a client and a user in Keycloak?
According to the Keycloak documentation
User - Users are entities that are able to log into your system
Client - Clients are entities that can request Keycloak to authenticate a user. Most
often, clients are applications and services that want to use Keycloak to secure
themselves and provide a single sign-on solution. Clients can also be entities that
just want to request identity information or an access token so that they can
securely invoke other services on the network that are secured by Keycloak
In short words, not only for keycloak but for OAuth and OpenId Connect too, a client represents a resource which some users can access. The built-in clients for keycloak represent some resources for keycloak itself.
Clients and users are two completely different constructs in keycloak.
In plain English, client is an application. Example for an application could be a e.g. yelp.com or any mobile application. Client can be a simple REST API. Keycloak's built in clients are for keycloak internal use, But any user-defined application has to be registered as a client in keycloak.
Users are the one which authenticate via keycloak to gain access to these applications/clients. Users are stored in keycloak DB or any externally hosted LDAP but synced with keycloak.

What does `endpoint` exactly mean in OAuth?

I saw the word "endpoint" many times in OAuth documents.. However, I still don't know what does this word really mean.. Does anyone have ideas about this?
The OAuth 2.0 Authorization Framework
The authorization process utilizes two authorization server endpoints
(HTTP resources):
Authorization endpoint - used by the client to obtain
authorization from the resource owner via user-agent redirection.
Token endpoint - used by the client to exchange an
authorization
grant for an access token, typically with client authentication.
Its basically the HTTP web address of the authentication server. It could probably be server addresses depending upon how its worked. The first is for requesting access of the user the second could be for granting access to the application. this probably depends upon how the Authentication server is set up.
OAuth endpoints are the URLs you use to make OAuth authentication requests to Server. You need to use the correct OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints depend upon the system you are trying to access.
Example Google has two end points:
Request access of user:
https://accounts.google.com/o/oauth2
Exchange tokens
https://accounts.google.com/o/oauth2/token