Authentication and Authorization With Keycloak
Security is always a concern whether you're building a restaurant application, a public API or an enterprise multi tenant software. And if user identity and access management were important in the past they are now much more important after the increased number of cyber attacks that not only affect our applications but also affect our privacy and identity theft.
Security in general is a very big topic and is a multi dimensional space to explore. In this article we will highlight the identity and access management and how an opensource tool like Keycloak can offload a lot of coding burden from the developer application code and mind and make integration an easy task.
Authentication and Authorization
First let's clarify the concepts, you probably heard about authentication and authorization or in a more trendy fashion AuthN and AuthZ. Let's understand what those are and how they differ from each other ..
Authentication is the process to make sure that the user who wants to use our service is legit to do so. We wanna make sure for example if Jack is logining that this is the real Jack and not another one claiming that he is Jack.
This is commonly done by using login forms in applications. The user provides the user name and a form of verification like password or OTP (One Time password generated through an email link or a mobile application). We wanna make sure that this user has already registered to use our service.
Authorization is the process that confirms the user is allowed to do this specific task or use this specific feature.
After a successful authentication, the application now confirms that you are legit to use the application, but some features can be limited or available to specific users only and the application wants to confirm that you belong to those ones who can access this feature.
Examples of those features :
- Admin users can have options to reset other user passwords
- Different tier SaaS service where Basic subscription has less features than Advanced or Premium ones
- Your customers may be limited to just reading the data while your employees can have access to modify the data.
Confirming that the logged user is legit to do this specific action is called authorization, and it is managed by roles that can be defined in the application or externalized to a dedicated access manager like Keycloak.
Role Based Access Control (RBAC)
Role Based Access Control is a mechanism for authorization. We create separate roles or personas, let's say Admin, Developer, Tester and User. Each one of these roles has specific permissions and is Allowed or denied for some services that we provide. Now we have our users which are probably grouped in different groups.
Each of the groups and/or Users can assume one or more roles to interact with owr application.
If I created a user
Aly I can assign the role
Admin to aly to get those privileges, later if I want to grant another user the admin privileges I just need to map this role to this new user or group.
This kind of separation allows the management (Adding or deleting) users to be independent from the roles and allow the flexibility of adding and removing roles.
How can we achieve this?
I always believe everything can be achieved by the code. But wait a second .. Why do so? If there are tools out there that can help you achieve this functionality and let you focus on your business logic or what your application is meant to be, wouldn't that be nice to re-use.
Reusable components or libraries are there in every language and framework and they are meant to save you time and make your life easier. Similarly online services can do the same.
Have you ever tried to login and find that there is a way to login with your Google Account or Facebook or GitHub. I am sure you've seen this before. Those sites are offering integration with your application to save you some code and since they already have a large user base they can confirm the user identities after permission from the user and send back to your application saying "I know and confirm this person".
This is a kind of SSO (Single Sign On) so no need to create different logins for different applications. This is very good for saving the authentication step (AuthN) but you still need to assign a role to this user within your app to achieve the authorization part (AuthZ)
Also if you are an enterprise or even a small company that you want your users to use their internal SSO, this may not work.
For long time big companies relied on Active Directory and LDAP to manage their user base and allow them to use SSO to login to different applications allowed by the company. Those users will not be available through Facebook or public GitHub.
Also the shift towards newer protocols and standards like OAuth (an open standard framework for authorization) and OpenID Connect (OIDC) which adds an authentication layer to OAuth the shift has started to those protocols, is pushing those companies to use those well structured standards.
Identity Access and Management as a service can be found in something like AWS IAM or Google. They are also available through open source solutions like Keycloak which we will go deeper in this series.
What is Keycloak
Keycloak is an opensource solution built to manage user authentication and authorization in a multi-tenant fashion. This means that it can handle different applications, where each application has its own users, groups and roles separate from the rest of applications.
For each application, it allows you to:
- Create a custom login page.
- Create users or allow them to self register
- Create Groups
- Assign Users to Groups
- Create Roles
- Give Roles to Users or Groups
- Create different clients for different Agents (I'll elaborate on this later)
Taking all these outside of your application code can save you a lot of coding, debugging and make you focus more on your business code while outsourcing the whole identity and access management to a component that is built for this purpose
Taking the features we mentioned above to the next organizational level. You may already have your users defined in an Active Directory or LDAP server that is working as a centralized user database for your organization. Keycloak offers integration with those servers so you won't start from scratch. Once you configure it to integrate with your organization users database, all the users and their data will be imported and ready to use with your application.
For applications that need to integrate with Social Authentication providers like Github/Google/Facebook etc.. Keycloak can also integrate with those providers and offers a way to login using your social authentication provider of your choice.
Keycloak offers two well known protocols for identity management SAML and OIDC. I will focus more on OIDC or OpenID Connect since it is more popular now and it is built on top of Oauth 2 framework.OIDC rely on JWT (JSON Web Tokens) to generate access and identity tokens.
There are different flows to generate the tokens that are outside the scope of this article, but to make it general we need to:
- Deny access to any unauthorized user.
- Allow our application to confirm the user identity.
- Confirm that the user has access to this feature.
Keycloak comes with libraries to different languages and frameworks that can allow this process to be handled outside of our code, and using some kind of configuration instead.
Note: There may be a minimal code required to integrate Keycloak that differs from one framework to the other.
Join me on the second part of this article to go over installing keycloak and securing a React and Vue app using keycloak.