2016-02-03 10:20:22 +00:00
<!--
~ Copyright 2016 Red Hat, Inc. and/or its affiliates
~ and other contributors as indicated by the @author tags.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
2014-01-13 01:57:31 +00:00
<chapter id= "Overview" >
<title > Overview</title>
<para >
2014-02-18 10:36:58 +00:00
Keycloak is an SSO solution for web apps, mobile and RESTful web services. It is an authentication server where users
2014-01-13 01:57:31 +00:00
can centrally login, logout, register, and manage their user accounts. The Keycloak admin UI can manage roles
and role mappings for any application secured by Keycloak. The Keycloak Server can also be used to perform
social logins via the user's favorite social media site i.e. Google, Facebook, Twitter etc.
</para>
<para >
</para>
<para >
Features:
<itemizedlist >
<listitem >
SSO and Single Log Out for browser applications
</listitem>
<listitem >
2014-03-12 16:57:30 +00:00
Social Login. Enable Google, GitHub, Facebook, Twitter social login with no code required.
2014-01-13 01:57:31 +00:00
</listitem>
2014-05-28 13:31:33 +00:00
<listitem >
LDAP and Active Directory support.
</listitem>
2014-01-13 01:57:31 +00:00
<listitem >
Optional User Registration
</listitem>
<listitem >
Password and TOTP support (via Google Authenticator). Client cert auth coming soon.
</listitem>
2014-02-26 20:29:17 +00:00
<listitem >
2014-05-28 13:31:33 +00:00
Forgot password support. User can have an email sent to them
</listitem>
<listitem >
Reset password/totp. Admin can force a password reset, or set up a temporary password.
</listitem>
<listitem >
Not-before revocation policies per realm, application, or user.
</listitem>
<listitem >
User session management. Admin can view user sessions and what applications/clients have an access token. Sessions can be invalidated
per realm or per user.
</listitem>
<listitem >
Pluggable theme and style support for user facing screens. Login, grant pages, account mgmt, and admin console all
can be styled, branded, and tailored to your application and organizational needs.
2014-02-26 20:29:17 +00:00
</listitem>
2014-01-13 01:57:31 +00:00
<listitem >
Integrated Browser App to REST Service token propagation
</listitem>
<listitem >
OAuth Bearer token auth for REST Services
</listitem>
<listitem >
OAuth 2.0 Grant requests
</listitem>
2014-02-28 15:45:12 +00:00
<listitem >
OpenID Connect Support.
</listitem>
2014-10-22 19:18:24 +00:00
<listitem >
SAML Support.
</listitem>
2014-01-13 01:57:31 +00:00
<listitem >
CORS Support
</listitem>
<listitem >
CORS Web Origin management and validation
</listitem>
<listitem >
Completely centrally managed user and role mapping metadata. Minimal configuration at the application side
</listitem>
<listitem >
2015-04-30 11:14:24 +00:00
Admin Console for managing users, roles, role mappings, clients, user sessions and allowed CORS web origins.
2014-01-13 01:57:31 +00:00
</listitem>
2014-03-12 16:57:30 +00:00
<listitem >
2014-05-28 13:31:33 +00:00
Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc.
2014-03-12 16:57:30 +00:00
</listitem>
2014-01-13 01:57:31 +00:00
<listitem >
2014-10-22 19:18:24 +00:00
Deployable as a WAR, appliance, or on Openshift. Completely clusterable.
2014-01-13 01:57:31 +00:00
</listitem>
2014-05-28 13:31:33 +00:00
<listitem >
2014-11-12 23:56:18 +00:00
Multitenancy support. You can host and manage multiple realms for multiple organizations. In the same auth server
and even within the same deployed application.
2014-05-28 13:31:33 +00:00
</listitem>
2014-01-13 01:57:31 +00:00
<listitem >
2015-03-11 16:05:27 +00:00
Identity brokering/chaining. You can make the Keycloak server a child IDP to another SAML 2.0 or OpenID Connect IDP.
</listitem>
<listitem >
Token claim, assertion, and attribute mappings. You can map user attributes, roles, and role names however you want
into a OIDC ID Token, Access Token, SAML attribute statements, etc. This feature allows you to basically
tailor however you want auth responses to look.
</listitem>
<listitem >
2014-11-12 23:56:18 +00:00
Supports JBoss AS7, EAP 6.x, Wildfly, Tomcat 7, Tomcat 8, Jetty 9.1.x, Jetty 9.2.x, Jetty 8.1.x, and Pure JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
2014-01-13 01:57:31 +00:00
</listitem>
</itemizedlist>
</para>
<section >
<title > Key Concepts in Keycloak</title>
<para >
2014-02-03 14:28:05 +00:00
The core concept in Keycloak is a <emphasis > Realm</emphasis> . A realm secures and manages security metadata
2015-04-30 11:14:24 +00:00
for a set of users and registered clients. Users can be created within a specific realm
2014-01-13 01:57:31 +00:00
within the Administration console. Roles (permission types) can be defined at the realm level and you can also
set up user role mappings to assign these permissions to specific users.
</para>
<para >
2015-04-30 11:14:24 +00:00
A <emphasis > client</emphasis> is a service that is secured by a realm. You will often use Client for every Application secured by Keycloak. When a user browses an
2014-01-13 01:57:31 +00:00
application's web site, the application can redirect the user agent to the Keycloak Server and request a login.
2015-04-30 11:14:24 +00:00
Once a user is logged in, they can visit any other client (application) managed by the realm and not have to re-enter
credentials. This also hold true for logging out. Roles can also be defined at the client level and
assigned to specific users. Depending on the client type, you may also be able to view and manage
2014-02-17 17:11:41 +00:00
user sessions from the administration console.
2014-01-13 01:57:31 +00:00
</para>
<para >
2015-04-30 11:14:24 +00:00
In admin console there is switch <emphasis > Consent required</emphasis> specified when creating/editing client. When on, the client is not immediately granted
2014-01-13 01:57:31 +00:00
all permissions of the user. In addition to requesting the login credentials of the user, the Keycloak Server
2015-04-30 11:14:24 +00:00
will also display a grant page asking the user if it is ok to grant allowed permissions to the client. The granted consents are saved
and every user can see his granted consents in Account Management UI and he can also revoke them for particular client. Also admin can see and revoke the grants
of particular user in Keycloak Admin Console UI.
2014-01-13 01:57:31 +00:00
</para>
</section>
<section >
<title > How Does Security Work in Keycloak?</title>
<para >
2014-05-28 13:31:33 +00:00
Keycloak uses <emphasis > access tokens</emphasis> to secure web invocations. Access tokens contains security metadata specifying the
2014-01-13 01:57:31 +00:00
identity of the user as well as the role mappings for that user. The format of these tokens is a Keycloak
extension to the <ulink url= "http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14" > JSON Web Token</ulink> specification. Each realm has a private and public key pair
which it uses to digitally sign the access token using the <ulink url= "http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19" > JSON Web Signature</ulink> specification.
Applications can verify the integrity of the digitally signed
access token using the public key of the realm. The protocols used to obtain this token is defined by the
<ulink url= "http://tools.ietf.org/html/rfc6749" > OAuth 2.0</ulink> specification.
</para>
<para >
The interesting thing about using these <emphasis > smart</emphasis> access tokens is that applications themselves are completely stateless
as far as security metadata goes. All the information they need about the user is contained in the token and there's
no need for them to store any security metadata locally other than the public key of the realm.
</para>
<para >
2014-05-28 13:31:33 +00:00
Signed access tokens can also be propagated by REST client requests within an <literal > Authorization</literal>
2014-01-13 01:57:31 +00:00
header. This is great for distributed integration as applications can request a login from a client to obtain
an access token, then invoke any aggregated REST invocations to other services using that access token. So,
you have a distributed security model that is centrally managed, yet does not require a Keycloak Server hit
per request, only for the initial login.
</para>
<section >
<title > Permission Scopes</title>
<para >
2015-04-30 11:14:24 +00:00
Each client is configured with a set of permission scopes. These are a set
of roles that a client is allowed to ask permission for. Access tokens are always
granted at the request of a specific client. This also holds true for SSO. As you visit
2014-01-13 01:57:31 +00:00
different sites, the application will redirect back to the Keycloak Server via the OAuth 2.0 protocol to obtain an access
2015-04-30 11:14:24 +00:00
token specific to that application (client). The role mappings contained within the token are the intersection
between the set of user role mappings and the permission scope of the client. So,
access tokens are tailor made for each client and contain only the information required
2014-01-13 01:57:31 +00:00
for by them.
</para>
</section>
</section>
</chapter>