Hello everyone ! Today i’m going to explain to you how you can save time when securing your web services.
As developer, I always start new project thinking about User registration, Email Confirmations and Authentication with multiple roles and accesses. It’s a huge task for a freelancer that want to concentrate on the main tasks of the project leaving this things away for a moment.
When I start a PHP project, I always use Users plugin made by CakeDC. This tool is amazing and allow us to easily set Social Providers Login/register like Twitter, Google and Facebook.
But, what about Node JS projects? I use Passport JS and this is a great package that allow to secure our applications.
Recently I worked in a big project and I learned many things about how we can identify users and how can user login in from any Identity provider.
What is KeyCloak?
It’s a Java solution created by Red Hat to manage authentication and authorisation. We can run it on a different Java Servers like Tomcat, JBoss and Jelly.. We can configure its Datasource like MySQL, PostGres or Oracle Database. It support H2 database system too.
KeyCloak supports OpenID-Connect, Oauth and SAML Protocol. Its main functionality is to provide a single sign on in many applications at the same time. For example; when you connect to Youtube, you are connected to Gmail in the same time right? But when you did connect to other application like adsense you are not connected automatically.
Think about it, when we sign in on Youtube we are redirected to Google account page and not a Youtube Login page, and that’s mean that Google Account is the Identity server of all Google products.
Imagine you are creating a web application based on Micro-services Architecture. How can you sign the user on different services?
Many Realm in the same time
Imagine a new application is provided on Google Ex: GPizza Eat, if I have a Google Account Do I have access to this new App? Unfortunately no. I have to subscribe to this app as the same technique when we give access to external Google application to access our email address.
So every application can be hosted in a different server, written with a different language. These applications have a different list of users.
In KeyCloak these different application are called Realm, every Realm contain its users and provide different clients (applications)
KeyCloak must be installed in a High Availability system, like Kubernetes, Docker Swarm. It must run under HTTPS server, in this case I recommand installing Nginx and I configuring it to reverse proxy 443 port to 8443 (KeyCloak).
1 Comment