Identity and Access Management for cloud native apps
Every app needs identity and access management. "No problem", I hear you say. You've done it a thousand times: users table with login and password hash.
But, is it really that simple?
Here are a few pretty standard questions you will hear from your customers and their info sec teams:
- how do I enforce a particular password length?
- how do I enforce lowercase, uppercase, digits, special characters in the password?
- how do I enforce password change every X days?
- great, I can enforce password change every X days, but you don't have password history which means I can reset the password to the old one; how do I enforce password history of X?
- my user forgot his password, where's the reset password functionality?
- MFA is a standard for us; oh... you don't support MFA?
- since you don't support MFA we have to use our SSO to login into your app; oh... you don't support SSO?
- great, you support SSO using SAML, but SAML is kinda old-school... do you support OIDC?
- a minor one, hope it is not too much of a hassle: how do I add my company logo and a legal statement to the login page?
- hello again, we updated risk factor for you application, and we now must use webauthn passwordless secure key device to authenticate...
By now your simple users table design got a little bit more complicated.
And now imagine you are developing a multi-tenant cloud native app and all customers come with their own security requirements.
off-the-shelf and open-source solutions
Instead of throwing yourself into development (and spending days and months on reinventing the wheel) pause for a moment. Why not use off-the-self solution? Or even better an open-source solution?
Some time ago I set myself on a mission: promote using off-the-shelf Identity and Access Management solutions.
Many architects fear of integrating other solutions into their systems. I don't understand this. Write down your requirements, do the research, write down the results, review results & pick the right solution for you, and then start building your app. Should you not be happy with the solution you can always implement it on your own... but before you do this, please scroll up and take another look at the list of only a few questions you will get from your customers.
If you choose an open-source solution and it lacks a specific feature, by reading my previous post in this series Building cloud native apps: Dependencies, you already know what to do: implement it and contribute back!
Trust me, integrating with an off-the-shelf solution (either proprietary or open-source) will save you a lot of time and money compared to building IAM solution yourself.
Keycloak
Keycloak is an open-source Identity and Access Management solution. Keycloak was initially developed by JBoss community and is curated by Red Hat now. It's also the foundation of Red Hat Single Sign-On product.
I love Keycloak. Keycloak is very easy to get you started, comes with tens of features out-of-the-box, fits nicely into multi-tenant architectures, there are a few deployment options to choose from, has nice getting started tutorials for beginners, and a very detailed documentation for those more advanced.
To encourage people to use Keycloak I decided to, instead of writing a series of posts about it, record videos where I show how to (within a few minutes) setup & test various security requirements. Check them out below.
Deploying Keycloak cluster to Kubernetes
If you want to try out all the Keycloak features yourself (and not only watch the videos - which is still fine if you're doing a research I was talking about earlier) then in this video you will learn how to deploy a Keycloak cluster to Kubernetes.
Source code is available on GitHub:
lukaszbudnik
/
keycloak-kubernetes
Keycloak cluster deployed to Kubernetes
Scenario #1: Custom password policies and MFA
We have a customer who wants to setup the following password policies:
- at least 1 uppercase character
- at least 1 lowercase character
- at least 1 digit
- at least 2 special characters (in video I use 2 for testing purposes)
- password length of 8
- password history of 10
- password not a username
- expire password after 90 days
- use custom hashing algorithm PBKDF2-SHA256 (key stretching hashing making it less vulnerable to brute-force attacks)
- enforce MFA
In this video I also show how to test above settings using a sample Keycloak app. I also show how to verify JWT tokens generated by Keycloak using JWT.io.
Scenario #2: Single Sign-On using SAML
We have a customer who wants to setup Sign Sign-On using SAML. In this case the customer has full control over identity management and can enforce additional authentication factors like authentication from corporate network only, etc.
In this video I also show how to use custom SAML assertions to import user attributes into Keycloak. I'm using JumpCloud as an SSO provider. It's free for small teams.
Scenario #3: Social Identity Providers
We have a customer who wants to setup Single Sign-On using one of the Social Identity Providers. It's very convenient to use, battle-tested, backed by biggest companies. Further, customer doesn't have to introduce yet another solution into their technology stack and simply use what the teams are already using.
As we are all developers here, the following video shows how to setup GitHub as a Social Identity Provider.
Scenario #4: User Federation using LDAP
We have a customer who is an IT dinosaur. They are not SSO ready, but they have LDAP in place. Keycloak supports User Federation and can sync with LDAP directories. Once users are in Keycloak your app can talk to Keycloak and take full advantage of JSON Web Tokens or enjoy OIDC without any changes to your app.
In Keycloak you can setup User Federation in just a few clicks. See how to sync with LDAP with custom attributes mapping in less than 7 minutes! If you need a free LDAP service check out JumpCloud.
Scenario #5: Customizing multi-tenant login pages
In the below video I show how to customize login pages. In the video I show how to add a customer logo together with a legal banner to the login page. I show how to do it in a way that it can be used for multi-tenant deployments, without having to create a dedicated login page for every customer.
Scenario #6: Custom Authentication Flows
Keycloak is highly customizable. You can not only configure password policies, MFA, SSO using SAML, SSO using OIDC, customize UI themes, customize authentication flows, but you can even write Java/JavaScript code to implement custom logic in Keycloak.
In the below video I show how to customize authentication flows and deploy a custom authenticator written in Java. The authenticator will use the user IP to either force or skip MFA step (MFA will be skipped if authentication request is coming from a trusted network).
lukaszbudnik
/
keycloak-ip-authenticator
Simple Custom Java Keycloak Authenticator
Scenario #7: Webauthn passwordless authentication
Keycloak supports webauthn passwordless authentication out of the box. It can be anything that your browser/system supports. In the below video I show how to setup MacOS Touch ID passwordless authentication in Keycloak.
Apart from setting up webauthn passwordless authentication I also show how to customize authentication flows.
Scenario #8: Authentication for distributed apps
This is an advanced tutorial. Still, everything is fully automated, and you can try it out on your local machine.
Source code and all the steps are available on GitHub.
lukaszbudnik
/
keycloak-kubernetes
Keycloak cluster deployed to Kubernetes
To complement other scenarios, Keycloak is now used as a true Identity and Access Management solution: it contains information about users (identity management) and their roles (access management).
The demo comprises of:
- React front-end application authenticating with Keycloak using official Keycloak JavaScript adapter lukaszbudnik/hotel-spa
- haproxy acting as an authentication & authorization gateway implemented by lukaszbudnik/haproxy-auth-gateway
- mock backend microservices implemented by lukaszbudnik/yosoy
- Keycloak as Identity and Access Management
- ready-to-import Keycloak realm with predefined client, roles, and test users
Scenario #9: Multi-tenant JavaScript Clients
An extension of the above video where I show how to use the Keycloak JavaScript adapter in a multi-tenant fashion.
Scenarion #10: Deploying Keycloak to AWS EKS
The first video from this post shows how to deploy Keycloak cluster to local Kubernetes cluster.
See how easy it is to setup a Keycloak cluster on AWS EKS.
Scenarion #11: Transparent authentication for AWS API Gateway
AWS API Gateway has a concept of JWT Authorizers that can be attached to its resources. JWT Authorizer can be anything really. As long as it follows the JWT standard.
In the below video I show how to setup Keycloak as AWS API Gateway JWT Authorizer.
AWS CDK code for deploying a sample application is available on my github account.
lukaszbudnik
/
aws-cdk-items-app
API Gateway HTTP API with JWT Authorizer and Lambda and DynamoDB integration.
Scenario #12: Transparent authentication for existing apps
Let's finish with a scenario where we use Keycloak to add authorization and authentication to existing apps.
Again, this is an advanced tutorial. Still, everything is fully automated, and you can try it out on your local machine.
I use my open-source project migrator as a sample cloud-native app to secure.
Source code is available on GitHub: https://github.com/lukaszbudnik/migrator/tree/master/tutorials/oauth2-proxy-oidc-haproxy.
It also uses haproxy acting as an authentication & authorization gateway implemented by lukaszbudnik/haproxy-auth-gateway.
Just like in previous video, Keycloak is used as a true Identity and Access Management solution: it contains information about users (identity management) and their roles (access management).
In this scenario haproxy is deployed in front of migrator. haproxy verifies the JWT access token and implements access control based on user's roles to allow or deny access to underlying migrator resources.
Top comments (2)
What a great tutorial ! Thanks Lukasz
Thanks, impressive work!