Thorgersen / Silva Keycloak - Identity and Access Management for Modern Applications

Preface
Keycloak is an open source Identity and Access Management (IAM) tool with a focus on modern applications such as single-page applications, mobile applications, and REST APIs. Since the first edition of this book was published there have been some big changes to Keycloak. The Keycloak administration console has received a full make-over with a bigger focus on usability and accessibility requirements. This distribution of Keycloak is now based on Quarkus rather than the WildFly application server. This brings a new, and much improved, way to configure and deploy Keycloak to different computing environments – from on-premises infrastructure to public and hybrid clouds. Some of the Keycloak Adapters have been deprecated, and instead Keycloak is now focusing on selecting quality libraries from existing communities; like leveraging built-in support for OpenID Connect and OAuth 2.0 from whatever language or framework your application is using. The project was started in 2014 with a strong focus on making it easier for developers to secure their applications. It has since grown into a well-established open source project with a strong community and user base. It is used in production for scenarios ranging from small websites with only a handful of users, up to large enterprises with millions of users. This book introduces you to Keycloak, covering how to install Keycloak as well as how to configure it ready for production use cases. Furthermore, this book covers how to secure your own applications, as well as providing a good foundation for understanding OAuth 2.0 and OpenID Connect. In this edition, there are updated chapters based on the latest release of Keycloak. If you are familiar with the content from the previous edition, this edition will give you relevant updates throughout to bring you up to speed with the latest release. For the newcomers, this edition will serve as an excellent first step towards understanding Keycloak and how it can help you to enable a rich IAM solution within your organization. Who this book is for
This book is for developers, system administrators, and security engineers, or anyone who wants to leverage Keycloak and its capabilities to secure applications. If you are new to Keycloak, this book will provide you with a strong foundation to leverage Keycloak in your projects. If you have been using Keycloak for a while, but have not mastered everything yet, you should still find a lot of useful information in this book. What this book covers
Chapter 1, Getting Started with Keycloak, gives you a brief introduction to Keycloak and steps on how to get quickly up to speed by installing and running Keycloak yourself. It also provides an introduction to the Keycloak admin and account consoles. Chapter 2, Securing Your First Application, explains how to secure your first application with Keycloak through a sample application consisting of a single-page application and a REST API. Chapter 3, Brief Introduction to Standards, provides a brief introduction and comparison of the standards Keycloak supports to enable you to integrate your applications securely and easily with Keycloak. Chapter 4, Authenticating Users with OpenID Connect, teaches how to authenticate users by leveraging the OpenID Connect standard. This chapter leverages a sample application that allows you to see and understand how an application authenticates to Keycloak through Open ID Connect. Chapter 5, Authorizing Access with OAuth 2.0, teaches how to authorize access to REST APIs and other services by leveraging the OAuth 2.0 standard. Through a sample application, you will see firsthand how an application obtains an access token through OAuth 2.0, which the application uses to invoke a protected REST API. Chapter 6, Securing Different Application Types, covers best practices on how to secure different types of applications, including web, mobile, and native applications, as well as REST APIs and other backend services. Chapter 7, Integrating Applications with Keycloak, provides steps on how to integrate your applications with Keycloak, covering a range of different programming languages, including Go, Java, client-side JavaScript, Node.js, and Python. It also covers how you can utilize a reverse proxy to secure an application implemented in any programming language or framework. Chapter 8, Authorization Strategies, covers how your application can use information about the user from Keycloak for access management, covering roles and groups, as well as custom information about users. Chapter 9, Configuring Keycloak for Production, teaches how to configure Keycloak for production, including how to enable TLS, configuring a relational database, and enabling clustering for additional scale and availability. Chapter 10, Managing Users, takes a closer look at the capabilities provided by Keycloak related to user management. It also explains how to federate users from external sources such as LDAP, social networks, and external identity providers. Chapter 11, Authenticating Users, covers the various authentication capabilities provided by Keycloak, including how to enable second-factor authentication, as well as security keys. Chapter 12, Managing Tokens and Sessions, helps understand how Keycloak leverages server-side sessions to keep track of authenticated users, as well as best practices for managing tokens issued to your applications. Chapter 13, Extending Keycloak, explains how you can extend Keycloak, covering how you can modify the look and feel of user-facing pages such as the login pages and account console. It also provides a brief introduction to one of the more powerful capabilities of Keycloak that allows you to provide custom extensions for a large number of extension points. Chapter 14, Securing Keycloak and Applications, provides best practices on how to secure Keycloak for production. It also provides a brief introduction to some best practices to follow when securing your own applications. Assessments, check your answers to the questions at the end of each chapter here. To get the most out of this book
To be able to run the examples provided in this book, you need to have OpenJDK and Node.js installed on your computer. All code examples have been tested using OpenJDK 17 and Node.js 18 on Linux (Fedora). However, the examples should also work on newer versions of OpenJDK and Node.js, as well as with Windows and mac OS. Software/hardware covered in the book OS requirements Keycloak 22 Linux (any), macOS, Windows OpenJDK 17+ Linux (any), macOS, Windows Node.js 18+ Linux (any), macOS, Windows If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code. Download the example code files
The code bundle for the book is hosted on GitHub at https://github.com/PacktPublishing/Keycloak---Identity-and-Access-Management-for-Modern-Applications-2nd-Edition/. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out! Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://packt.link/6BLPp. Code in Action
Code in Action videos for this book can be viewed at https://packt.link/ZZQat. Conventions used
There are a number of text conventions used throughout this book. CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. For example: “Keycloak supports the authorization_code grant type and the code and token response types.” A block of code is set as follows: