In today’s world, security is a need. We want to stay secure and private everywhere. To unlock all this we use keys, passwords, fingerprints, and even facial recognition. So many platforms, so many passwords to be created, and so many passwords to remember. Do you really remember all your passwords? Personally, I say YES to “Forgot Password” questions always.
As developers, when we create a system mostly it must have authentication and authorization. We are obliged to implement each system individually. It gets tiresome to keep having to create authentication modes. It takes a lot of work…
Fortunately, this problem has been addressed by the creation of access managers like Keycloak. A single account linked to all your accounts. This offers many benefits, for everyone. For users, they can have one account to rule them all. For developers, don’t need to develop an authentication module for every application.
What is Keycloak?
Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.
Keycloak provides a web page for direct administration of your data (users, realms, roles, etc.) You can easily create a new realm, a user or a client.
Keycloak manages many different authentication layers including OpenID, OpenID Connect, OAuth, and SAML. If you want to reuse your existing users, Keycloack also capable of connecting directly to several types of database (LDAP, Kerberos, etc.)
Keycloak has included in its ID provider the possibility of configuring social networks, for logging in using them. Facebook, Twitter, LinkedIn, Google, GitHub and more…
Let’s get started with Keycloak
I am using the latest release of the standalone server distribution(5.0.0). You can download from the official website (https://downloads.jboss.org/keycloak/5.0.0/keycloak-5.0.0.zip)
Keycloak requires Java SDK. f you don’t have you can download it from https://www.oracle.com/technetwork/java/javase/downloads/index.html
If you are using windows you need to set the JAVA_HOME variable. https://confluence.atlassian.com/doc/setting-the-java_home-variable-in-windows-8895.html
Extract the folder from the zip archive.
On Windows, you can boot Keycloak by running this command on a Command Prompt terminal.
> ${KEYCLOAK_SERVER_DIR}\bin\standalone.bat -Djboss.socket.binding.port-offset=100
On macOS or Linux, we can open a Terminal prompt and run:
$ ${KEYCLOAK_SERVER_DIR}/bin/standalone.sh -Djboss.socket.binding.port-offset=100
The Keycloak server will be reachable on our host 8080 port by default, but you can change it by setting the optional JBoss.socket.binding.port-offset property.
Login into the Admin Console
After performing all the installation, we need to create an initial admin account. Browse http://localhost:8180/auth/.
Specify username and password and then click Create button to create the initial admin account.
After we create the initial admin account, log in to the admin console.
Let’s Create Our Realm
The core concept in Keycloak is a Realm. A realm secures and manages security metadata for a set of users, applications, and registered OAuth clients.
This menu option will bring you to the Add Realm page. Specify the realm name you want to define and click the Create button.
Adding Client To Our New Realm
Client Protocol Types
OpenID Connect
Open ID Connect (OIDC) is an authentication protocol that is an extension of OAuth 2.0. While OAuth 2.0 is only a framework for building authorization protocols and is mainly incomplete, OIDC is a full-fledged authentication and authorization protocol. OIDC also makes heavy use of the JSON Web Token (JWT) set of standards. These standards define an identity token JSON format and ways to digitally sign and encrypt that data in a compact and web-friendly way.
SAML 2.0
SAML 2.0 is a similar specification to OIDC but a lot older and more mature. It has its roots in SOAP and the plethora of WS-* specifications so it tends to be a bit more verbose than OIDC. SAML 2.0 is primarily an authentication protocol that works by exchanging XML documents between the authentication server and the application. XML signatures and encryption are used to verify requests and responses.
Fill in the required fields and click Save. The client is created and the client settings page opens.
Access Types
Confidential
Confidential access type concerns server-side clients who need to connect to the browser and ask for a client secret when converting an access code into an access token. This type is to be favored for server-side applications.
Public
Public access type is meant for clients that need to connect to the browser. With a client-side application, there is no way of keeping a secret in complete security. Instead of this, it is very important to restrict access by configuring the correct redirection URIs for the client.
Bearer-Only
Bearer-only access type signifies that the application only authorizes bearer token requests. If this option is activated, this application cannot take part in connections with the browser.
Adding User To Our New Realm
To create a user click on Users in the left menu bar. This menu option brings you to the user list page. On the right side of the empty user list, you should see the Add User button. Click that to start creating your new user.
The only required field is the Username. Click Save. This will bring you to the management page for your new user.
Login With New User:)
Specify username and password and then click Log In button to enter the Keycloak. After login Account page opens. A page similar to the following is displayed:
References
Thanks for reading…
