I have used spring security in the past and understand that most of the features of keycloak can be achieved by using spring security ( ldap integration etc ).
Apart from easy social media login validation, are there any other unique features in key cloak which cannot be done using spring security?
With spring-security you would have to create Spring authentication server and explicitly configure/code certain things for integration with LDAP, OAuth2/OIDC providers.
Keycloak is already OAuth2/OIDC/SAMPL compliant IAM provider. It provides features like User Federation with options like LDAP, integration with other OIDC provider etc.
Keycloak provides SPI integration points where you can customize the request flow, use OTP, perform two factor authentication, add google CAPTCHA, or even your CAPTCHA. It provides role based authorization too if you need.
It also provides event handling integration points for events like Login, logout, refresh token, etc.
Keycloak Community will keep adding new features or keep supporting it w.r.t. changes in OAuth2, OIDC, SAML. You don't need to worry about updating your code time to time. Along with this, security updates will be there.
There are many more features.
Most importantly, why reinvent the wheel, if you get these many features and good support.
Keycloak allows you:
to use multiple user storage and get users from multiple LDAP/AD or Kerberos or use without any LDAP.
to login once (SSO) and forget about to login from another application with GUI;
to use one authorization server for multiple application by separation them by realms. One thing should be noted: keycloak could be installed on multiple nodes for better reliability; This also could helpful when application become big and once you decide to separate it on multiple.
to add user additional attributes and fields during get user info without coding (trivial example - set phone number) or specific roles (on realm or even client level) or groups and use all this on the top of an AD attributes;
to configure password rules like password expiration, e-mail validation and so on;
to set up 2-factor authorization with SMS or Email.
These things I think could be implemented using Spring Security, but it takes more time than Keycloak installation and configuration. Personally, I am using Keycloak in multiple commercial projects and could claim that Keycloak is good.
Related
I would like to support hundreds of thousands of IDPs in my environment (for example 300k SAML 2 IDPs or OIDC OPs). If I was to get picky, I would like to support multiple protocols for authentication; SAML, SAML 2, OAuth, OAuth 2, OIDC but that isn't a strict requirement. Specifically, I want a login page on an IDP that supports authentication, password reset and SSO to SPs for each IDP stack, so to speak.
To do this, I would like to be able to automate deployment and configuration of new IDPs using APIs. Additionally, I have a single identity store that would back all of these IDPs, hopefully retaining global uniqueness across usernames by leveraging the IDP (maybe name) as an additional differentiator. I'm thinking something conceptually like (IDP X Username) tuple. I would like each IDP to reuse a templated UI but have it's own API endpoints, keys, etc to support their respective flows securely.
I'm not an expert in Keycloak and would like some advice on the mechanisms I can use in Keycloak to support this, if at all, and whether or not Keycloak could support this from a performance/volume perspective. I'm happy to write custom code/extensions, like UIs and storage integrations, but I would prefer to leave the identity management/IDP tasks to Keycloak where possible. I'm also assuming that deployment would not actually deploy a new artifact onto the network, it would just add new endpoints to a currently running Keycloak system but I would like validation of that assumption, if possible.
Long story short, I would like all the IDPs to support the same authentication flows/interaction patterns but look like unique IDPs on the network while limiting the number of deployed software components.
I'm happy to take pointers, like "this might work for you". I'm not really looking for a full design here.
We are developing an application in a microservice architecture, which implements signle sign-on using Spring Cloud OAuth2 on multiple OAuth2 providers like Google and Facebook. We are also developing our own authorization server, and will be integrated on next release.
Now, on our microservices, which are resource servers, I would like to know how to handle multiple token-info-uri or user-info-uri to multiple authorization servers (e.g. for Facebook or Google).
This type of situation is generally solved by having a middle-man; a single entity that your resource servers trust and that can be used to normalize any possible differences that surface from the fact that users may authenticate with distinct providers. This is sometimes referred to as a federation provider.
Auth0 is a good example on this kind of implementation. Disclosure: I'm an Auth0 engineer.
Auth0 sits between your app and the identity provider that authenticates your users. Through this level of abstraction, Auth0 keeps your app isolated from any changes to and idiosyncrasies of each provider's implementation.
(emphasis is mine)
It's not that your resource servers can't technically trust more than one authorization server, it's just that moving that logic out of the individual resource servers into a central location will make it more manageable and decoupled.
Also have in mind that authentication and authorization are different things although we are used to seeing them together. If you're going to implement your own authorization server, you should make that the central point that can:
handle multiple types of authentication providers
provide a normalized view of the user profile to downstream resource servers
provide the access tokens that can be used by your client application to make authorized requests to your microservices
how can i apply spring security for multitenant web application?
My web application has to be supported for multi-tenants i.e http://:/springapp/appollo---uses ldap for authentication
http://:/springapp/fortis----uses local database for authentication
http://:/springapp/manipal---uses oath for authentication
how can i apply spring security so that is supports for all the tenants
It might look trivial, though this is not a simple case...
Basically, all you need to do is to create a (Spring) Filter in your webapp, that will catch all requests, and by the subdomain of the referrer it will decide what authentication method to use (it can be achieved by a simple table in the DB, that will map a subdomain to an enum, e.g. 'oAuth', 'SAML', 'local', etc. This Filter should be placed before any other authentication filter, and as I said , it will technically decide which auth method to use.
I had to tackle this kind of scenario, and the best solution - as far as I think - was to support one authentication method, and then creating a "bridge" to other authentication methods, as needed. For example, the main authentication method is oAuth2.0. Then, in cases where you need other types of authentication, you create "adapters", or "bridges", to the other mechanisms. So if you need to support LocalDB for cusomerB, and AD for customerC, then you adapt from oAuth to localDB or to AD. In my case, I had to support SAML, so I've created a bridge from oAuth to SAML, because it is not trivial for the same Spring-app to support both oAuth and SAML. (Supporting AD and LocalDB from oAuth are much easier, I think.)
How it happens? you wrap your local DB to be an oAuth-provider, so your app will connect to it. and the same for your AD-connector. You have to parse the URL that the user enters, and you get the "tenant". Then you go to your DB, where you map from the tenant to the needed authentication mechanism, and you know what "bridge" to use.
HTH.
I'm going to be undertaking a large project for a client of mine. I need to write an IDP (identity provider) that will handle single-sign-on to multiple apps by a number of different authentication methods (such as SAML, OAuth, Form-based auth, HTTP Basic auth). I'd also need the ability to add in additional types of authentication as the app grows.
The basic idea would be that we'd have three different components to the app. One would be the IDP. Another would be a data-store that contains user accounts, the apps they want to use, etc. The third would be a GUI front-end that allows users to sign into apps.
It seems that there are some existing gems that handle authentication, like https://github.com/onelogin/ruby-saml and https://github.com/intridea/omniauth. My question is, am I overcomplicating this project -- would I just be able to use existing gems like these to act as the IDP, or is this a project where I'd need to read specs and implement them myself in Ruby?
Using something like SAML toolkit for Ruby on Rails adapted to work with ADFS server, you can integrate with ADFS. Now you can leverage ADFS features:
Interface with Facebook etc. via Azure ACS
Interface with Azure Active Directory and hence SSO to SaaS applications
Azure Active Directory Multi Factor Authentication
BYOD via the Web Applications Proxy
OAuth on ADFS 3.0
and so on. The list is expanding all the time.
Once you hook into these standards. you just inherit all the new features as they are released.
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario:
I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
#EnableOAuth2Sso
#EnableOAuth2Resource
Spring Cloud oauth2 SSO sample
Spring oauth2 SSO with a whole bunch of other stuff too
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.