Every app needs identity and access management. "No problem", I hear you say. You've done it a thousand times: users table with login and password hash.
But, is it really that simple?
Here are a few pretty standard questions you will hear from your customers and their info sec teams:
- how do I enforce a particular password length?
- how do I enforce lowercase, uppercase, digits, special characters in the password?
- how do I enforce password change every X days?
- great, I can enforce password change every X days, but you don't have password history which means I can reset the password to the old one; how do I enforce password history of X?
- my user forgot his password, where's the reset password functionality?
- MFA is a standard for us; oh... you don't support MFA?
- since you don't support MFA we have to use our SSO to login into your app; oh... you don't support SSO?
- great, you support SSO using SAML, but SAML is kinda oldschool... do you support OIDC?
- a minor one, hope it is not too much of a hassle: how do I add my company logo and a legal statement to the login page?
By now your simple users table design got a little bit more complicated.
And now imagine you are developing a multi-tenant cloud native app and all customers come with their own security requirements.
Instead of throwing yourself into development (and spending days and months on reinventing the wheel) pause for a moment. Why not use off-the-self solution? Or even better an open-source solution?
Some time ago I set myself on a mission: promote using off-the-shelf Identity and Access Management solutions.
Many architects fear of integrating other solutions into their systems. I don't understand this. Write down your requirements, do the research, write down the results, review results & pick the right solution for you, and then start building your app. Should you not be happy with the solution you can always implement it on your own... but before you do this, please scroll up and take another look at the list of only a few questions you will get from your customers.
If you choose an open-source solution and it lacks a specific feature, by reading my previous post in this series Building cloud native apps: Dependencies, you already know what to do: implement it and contribute back!
Trust me, integrating with an off-the-shelf solution (either proprietary or open-source) will save you a lot of time and money compared to building IAM solution yourself.
Keycloak is an open-source Identity and Access Management solution. Keycloak was initially developed by JBoss community and is curated by Red Hat now. It's also the foundation of Red Hat Single Sign-On product.
I love Keycloak. Keycloak is very easy to get you started, comes with tens of features out-of-the-box, fits nicely into multi-tenant architectures, there are a few deployment options to chose from, has nice getting started tutorials for beginners, and a very detailed documentation for those more advanced.
In order to encourage people to use Keycloak I decided to, instead of writing a series of posts about it, record videos where I actually show how to (within a few minutes) setup & test various security requirements. Check them out below.
If you want to try out all the Keycloak features yourself (and not only watch the videos - which is still fine if you're doing a research I was talking about earlier) then in this video you will learn how to deploy a Keycloak cluster to Kubernetes.
Source code is available on GitHub:
We have a customer who wants to setup the following password policies:
- at least 1 uppercase character
- at least 1 lowercase character
- at least 1 digit
- at least 2 special character (in video I use 2 for testing purposes)
- password length of 8
- password history of 10
- password not a username
- expire password after 90 days
- use custom hashing algorithm PBKDF2-SHA256 (key stretching hashing making it less vulnerable to brute-force attacks)
- enforce MFA
In this video I also show how to test above settings using a sample Keycloak app. I also show how to verify JWT tokens generated by Keycloak using JWT.io.
We have a customer who wants to setup Sign Sign-On using SAML. In this case the customer has full control over identity management and can enforce additional authentication factors like authentication from corporate network only, etc.
In this video I also show how to use custom SAML assertions to import user attributes into Keycloak. I'm using JumpCloud as an SSO provider. It's free for small teams.
We have a customer who wants to setup Single Sign-On using one of the Social Identity Providers. It's very convenient to use, battle-tested, backed by biggest companies. Further, customer doesn't have to introduce yet another solution into their technology stack and simply use what the teams are already using.
As we are all developers here, the following video shows how to setup GitHub as a Social Identity Provider.
We have a customer who is an IT dinosaur. They are not SSO ready but they have LDAP in place. Keycloak supports User Federation and can sync with LDAP directories. Once users are in Keycloak your app can talk to Keycloak and take full advantage of JSON Web Tokens or enjoy OIDC without any changes to your app.
In Keycloak you can setup User Federation in just a few clicks. See how to sync with LDAP with custom attributes mapping in less than 7 minutes! If you need a free LDAP service check out JumpCloud.
This is an advanced tutorial. Still, everything is fully automated, and you can try it out on your local machine.
Source code and all the steps are available on GitHub.
To complement other scenarios, Keycloak is now used as a true Identity and Access Management solution: it contains information about users (identity management) and their roles (access management).
The demo comprises of:
- haproxy acting as an authentication & authorization gateway implemented by lukaszbudnik/haproxy-auth-gateway
- mock backend microservices implemented by lukaszbudnik/yosoy
- Keycloak as Identity and Access Management
- ready-to-import Keycloak realm with predefined client, roles, and test users
Let's finish with a scenario where we use Keycloak to add authorization and authentication to existing apps.
Again, this is an advanced tutorial. Still, everything is fully automated, and you can try it out on your local machine.
I use my open-source project migrator as a sample cloud-native app to secure.
Source code is available on GitHub: https://github.com/lukaszbudnik/migrator/tree/master/tutorials/oauth2-proxy-oidc-haproxy.
Just like in previous video, Keycloak is used as a true Identity and Access Management solution: it contains information about users (identity management) and their roles (access management).
In this scenario haproxy is deployed in front of migrator. haproxy verifies the JWT access token and implements access control based on user's roles to allow or deny access to underlying migrator resources.