KEYCLOAK-17940 Client policies documentation
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
This commit is contained in:
parent
d152d07378
commit
817eb73093
11 changed files with 203 additions and 2 deletions
|
@ -13,6 +13,9 @@ include::topics/templates/document-attributes-community.adoc[]
|
||||||
:release_header_latest_link: {releasenotes_link_latest}
|
:release_header_latest_link: {releasenotes_link_latest}
|
||||||
include::topics/templates/release-header.adoc[]
|
include::topics/templates/release-header.adoc[]
|
||||||
|
|
||||||
|
== {project_name_full} 14.0.0
|
||||||
|
include::topics/14_0_0.adoc[leveloffset=2]
|
||||||
|
|
||||||
== {project_name_full} 13.0.0
|
== {project_name_full} 13.0.0
|
||||||
include::topics/13_0_0.adoc[leveloffset=2]
|
include::topics/13_0_0.adoc[leveloffset=2]
|
||||||
|
|
||||||
|
|
9
release_notes/topics/14_0_0.adoc
Normal file
9
release_notes/topics/14_0_0.adoc
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
= Highlights
|
||||||
|
|
||||||
|
== Client Policies and Financial-grade API (FAPI) Support
|
||||||
|
|
||||||
|
The {project_name} server has now official support for client policies and Financial-grade API (FAPI). This capability was previewed in earlier versions, but now
|
||||||
|
it is more polished and properly documented. Thanks to https://github.com/tnorimat[Takashi Norimatsu], who did most of the work on this. Also thanks
|
||||||
|
to https://github.com/andriimurashkin[Andrii Murashkin] and https://github.com/HryhoriiHevorkian[Hryhorii Hevorkian], who did a great deal of the work on this feature as well.
|
||||||
|
Finally thanks to all the members of the https://github.com/keycloak/kc-sig-fapi/blob/master/members.adoc[FAPI Special interest group] for their help and feedback.
|
||||||
|
|
|
@ -59,6 +59,7 @@ include::topics/oidc/mod-auth-openidc.adoc[]
|
||||||
endif::[]
|
endif::[]
|
||||||
|
|
||||||
include::topics/oidc/oidc-generic.adoc[]
|
include::topics/oidc/oidc-generic.adoc[]
|
||||||
|
include::topics/oidc/fapi-support.adoc[]
|
||||||
|
|
||||||
include::topics/saml/saml-overview.adoc[]
|
include::topics/saml/saml-overview.adoc[]
|
||||||
include::topics/saml/java/java-adapters.adoc[]
|
include::topics/saml/java/java-adapters.adoc[]
|
||||||
|
|
|
@ -163,8 +163,12 @@ client = reg.create(client);
|
||||||
String registrationAccessToken = client.getRegistrationAccessToken();
|
String registrationAccessToken = client.getRegistrationAccessToken();
|
||||||
----
|
----
|
||||||
|
|
||||||
|
[[_client_registration_policies]]
|
||||||
=== Client Registration Policies
|
=== Client Registration Policies
|
||||||
|
|
||||||
|
NOTE: The current plans are for the Client Registration Policies to be removed in favor of the Client Policies described in the link:{adminguide_link}#_client_policies[{adminguide_name}].
|
||||||
|
Client Policies are more flexible and support more use cases.
|
||||||
|
|
||||||
{project_name} currently supports two ways how new clients can be registered through Client Registration Service.
|
{project_name} currently supports two ways how new clients can be registered through Client Registration Service.
|
||||||
|
|
||||||
* Authenticated requests - Request to register new client must contain either `Initial Access Token` or `Bearer Token` as mentioned above.
|
* Authenticated requests - Request to register new client must contain either `Initial Access Token` or `Bearer Token` as mentioned above.
|
||||||
|
|
12
securing_apps/topics/oidc/fapi-support.adoc
Normal file
12
securing_apps/topics/oidc/fapi-support.adoc
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
[[_fapi-support]]
|
||||||
|
=== Financial-grade API (FAPI) Support
|
||||||
|
|
||||||
|
{project_name} makes it easier for administrators to make sure that their clients are compliant with
|
||||||
|
the https://openid.net/specs/openid-financial-api-part-1-1_0.html[Financial-grade API Security Profile 1.0 - Part 1: Baseline]
|
||||||
|
and https://openid.net/specs/openid-financial-api-part-2-1_0.html[Financial-grade API Security Profile 1.0 - Part 2: Advanced]. This compliance means that the {project_name} server will verify the requirements
|
||||||
|
for the authorization server, which are mentioned in the specifications. {project_name} adapters do not have any specific support for the FAPI, hence the required validations on the client (application)
|
||||||
|
side may need to be still done manually or through some other third-party solutions.
|
||||||
|
|
||||||
|
To make sure that your clients are FAPI compliant, you can configure Client Policies in your realm as described in the link:{adminguide_link}#_client_policies[{adminguide_name}]
|
||||||
|
and link them to the global client profiles for FAPI support, which are automatically available in each realm.
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
[[_oidc]]
|
||||||
== OpenID Connect
|
== OpenID Connect
|
||||||
|
|
||||||
This section describes how you can secure applications and services with OpenID Connect using either {project_name} adapters or generic OpenID Connect
|
This section describes how you can secure applications and services with OpenID Connect using either {project_name} adapters or generic OpenID Connect
|
||||||
|
|
|
@ -50,6 +50,7 @@ include::topics/clients/client-link.adoc[]
|
||||||
include::topics/clients/protocol-mappers.adoc[]
|
include::topics/clients/protocol-mappers.adoc[]
|
||||||
include::topics/clients/installation.adoc[]
|
include::topics/clients/installation.adoc[]
|
||||||
include::topics/clients/client-scopes.adoc[]
|
include::topics/clients/client-scopes.adoc[]
|
||||||
|
include::topics/clients/client-policies.adoc[]
|
||||||
include::topics/roles.adoc[]
|
include::topics/roles.adoc[]
|
||||||
include::topics/roles/realm-roles.adoc[]
|
include::topics/roles/realm-roles.adoc[]
|
||||||
include::topics/roles/client-roles.adoc[]
|
include::topics/roles/client-roles.adoc[]
|
||||||
|
@ -115,6 +116,7 @@ include::topics/threat/clickjacking.adoc[]
|
||||||
include::topics/threat/ssl.adoc[]
|
include::topics/threat/ssl.adoc[]
|
||||||
include::topics/threat/csrf.adoc[]
|
include::topics/threat/csrf.adoc[]
|
||||||
include::topics/threat/redirect.adoc[]
|
include::topics/threat/redirect.adoc[]
|
||||||
|
include::topics/threat/fapi-compliance.adoc[]
|
||||||
include::topics/threat/compromised-tokens.adoc[]
|
include::topics/threat/compromised-tokens.adoc[]
|
||||||
include::topics/threat/compromised-codes.adoc[]
|
include::topics/threat/compromised-codes.adoc[]
|
||||||
include::topics/threat/open-redirect.adoc[]
|
include::topics/threat/open-redirect.adoc[]
|
||||||
|
|
154
server_admin/topics/clients/client-policies.adoc
Normal file
154
server_admin/topics/clients/client-policies.adoc
Normal file
|
@ -0,0 +1,154 @@
|
||||||
|
[[_client_policies]]
|
||||||
|
=== Client Policies
|
||||||
|
|
||||||
|
To make it easy to secure client applications, it is beneficial to realize the following points in a unified way.
|
||||||
|
|
||||||
|
* Setting policies on what configuration a client can have
|
||||||
|
* Validation of client configurations
|
||||||
|
* Conformance to a required security standards and profiles such as Financial-grade API (FAPI)
|
||||||
|
|
||||||
|
To realize these points in a unified way, _Client Policies_ concept is introduced.
|
||||||
|
|
||||||
|
==== Use-cases
|
||||||
|
|
||||||
|
Client Policies realize the following points mentioned as follows.
|
||||||
|
|
||||||
|
Setting policies on what configuration a client can have::
|
||||||
|
Configuration settings on the client can be enforced by client policies during client creation/update, but also during OpenID Connect requests to {project_name} server, which are related to particular client.
|
||||||
|
{project_name} supports similar thing also through the Client Registration Policies described in the link:{adapterguide_link}#_client_registration_policies[{adapterguide_name}].
|
||||||
|
However, Client Registration Policies can only cover OIDC Dynamic Client Registration. Client Policies cover not only what Client Registration Policies can do, but other client
|
||||||
|
registration and configuration ways. The current plans are for Client Registration to be replaced by Client Policies.
|
||||||
|
|
||||||
|
Validation of client configurations::
|
||||||
|
{project_name} supports validation whether the client follows settings like Proof Key for Code Exchange,
|
||||||
|
Request Object Signing Algorithm, Holder-of-Key Token, and so on on some endpoints like Authorization Endpoint, Token Endpoint, and so on.
|
||||||
|
These can be specified by each setting item (on Admin Console, switch, pulldown menu and so on). To make the client application secure, the administrator needs to set
|
||||||
|
many settings in the appropriate way, which makes it difficult for the administrator to secure the client application.
|
||||||
|
Client Policies can do these validation of client configurations mentioned just above and they can also be used to auto-configure some client configuration switches to meet
|
||||||
|
the advanced security requirements. In the future, individual client configuration settings may be replaced by Client Policies directly performing required validations.
|
||||||
|
|
||||||
|
Conformance to a required security standards and profiles such as FAPI::
|
||||||
|
The _Global client profiles_ are client profiles pre-configured in {project_name} by default. They are pre-configured to be compliant with standard security profiles like link:{adapterguide_link}#_fapi-support[FAPI],
|
||||||
|
which makes it easy for the administrator to secure their client application to be compliant with the particular security profile. At this moment, {project_name} has global
|
||||||
|
profiles for the support of FAPI 1 specification. The administrator will just need to configure the client policies to specify which clients should
|
||||||
|
be compliant with the FAPI. The administrator can configure client profiles and client policies, so that {project_name} clients can be easily made compliant with various other
|
||||||
|
security profiles like SPA, Native App, Open Banking and so on.
|
||||||
|
|
||||||
|
==== Protocol
|
||||||
|
|
||||||
|
The client policy concept is independent of any specific protocol. However, {project_name} currently supports it only just for the link:{adapterguide_link}#_oidc[OpenID Connect (OIDC) protocol].
|
||||||
|
|
||||||
|
==== Architecture
|
||||||
|
|
||||||
|
Client Policies consists of the four building blocks: Condition, Executor, Profile and Policy.
|
||||||
|
|
||||||
|
===== Condition
|
||||||
|
|
||||||
|
A condition determines to which client a policy is adopted and when it is adopted. Some conditions are checked at the time of client create/update when some other conditions are
|
||||||
|
checked during client requests (OIDC Authorization request, Token endpoint request and so on). The condition checks whether one specified criteria is satisfied. For example,
|
||||||
|
some condition checks whether the access type of the client is confidential.
|
||||||
|
|
||||||
|
The condition can not be used solely by itself. It can be used in a <<_client_policy_policy,policy>> that is described afterwards.
|
||||||
|
|
||||||
|
A condition can be configurable the same as other configurable providers. What can be configured depends on each condition's nature.
|
||||||
|
|
||||||
|
The following conditions are provided:
|
||||||
|
|
||||||
|
The way of creating/updating a client::
|
||||||
|
* Dynamic Client Registration (Anonymous or Authenticated with Initial access token or Registration access token)
|
||||||
|
* Admin REST API (Admin Console and so on)
|
||||||
|
|
||||||
|
So for example when creating a client, a condition can be configured to evaluate to true when this client is created by OIDC Dynamic Client Registration without initial
|
||||||
|
access token (Anonymous Dynamic Client Registration). So this condition can be used for example to ensure that all clients registered through OIDC Dynamic Client Registration
|
||||||
|
are FAPI compliant.
|
||||||
|
|
||||||
|
Author of a client (Checked by presence to the particular role or group)::
|
||||||
|
On OpenID Connect dynamic client registration, an author of a client is the end user who was authenticated to get an access token for generating a new client, not Service
|
||||||
|
Account of the existing client that actually accesses the registration endpoint with the access token. On registration by Admin REST API, an author of a client is the end user
|
||||||
|
like the administrator of the {project_name}.
|
||||||
|
|
||||||
|
Client Access Type (confidential, public, bearer-only)::
|
||||||
|
For example when a client sends an authorization request, a policy is adopted if this client is confidential.
|
||||||
|
|
||||||
|
Client Scope::
|
||||||
|
Evaluates to true if the client has a particular client scope (either as default or as an optional scope used in current request). This can be used for example to ensure that
|
||||||
|
OIDC authorization requests with scope `fapi-example-scope` need to be FAPI compliant.
|
||||||
|
|
||||||
|
Client Role::
|
||||||
|
Applies for clients with the client role of the specified name
|
||||||
|
|
||||||
|
Client Domain Name, Host or IP Address::
|
||||||
|
Applied for specific domain names of client. Or for the cases when the administrator registers/updates client from particular Host or IP Address.
|
||||||
|
|
||||||
|
Any Client::
|
||||||
|
This condition always evaluates to true. It can be used for example to ensure that all clients in the particular realm are FAPI compliant.
|
||||||
|
|
||||||
|
===== Executor
|
||||||
|
|
||||||
|
An executor specifies what action is executed on a client to which a policy is adopted. The executor executes one or several specified actions. For example,
|
||||||
|
some executor checks whether the value of the parameter `redirect_uri` in the authorization request matches exactly with one of the pre-registered redirect URIs on
|
||||||
|
Authorization Endpoint and rejects this request if not.
|
||||||
|
|
||||||
|
The executor can not be used solely by itself. It can be used in a <<_client_policy_profile,profile>> that is described afterwards.
|
||||||
|
|
||||||
|
An executor can be configurable the same as other configurable providers. What can be configured depends on the nature of each executor.
|
||||||
|
|
||||||
|
An executor acts on various events. An executor implementation can ignore certain types of events (For example, executor for checking OIDC `request` object acts just
|
||||||
|
on the OIDC authorization request). Events are:
|
||||||
|
|
||||||
|
* Creating a client (including creation through dynamic client registration)
|
||||||
|
* Updating a client
|
||||||
|
* Sending an authorization request
|
||||||
|
* Sending a token request
|
||||||
|
* Sending a token refresh request
|
||||||
|
* Sending a token revocation request
|
||||||
|
* Sending a token introspection request
|
||||||
|
* Sending a userinfo request
|
||||||
|
* Sending a logout request with a refresh token
|
||||||
|
|
||||||
|
On each event, an executor can work in multiple phases. For example, on creating/updating a client, the executor can modify the client configuration by auto-configure specific client
|
||||||
|
settings. After that, the executor validates this configuration in validation phase.
|
||||||
|
|
||||||
|
One of several purposes for this executor is to realize the security requirements of client conformance profiles like FAPI. To do so, the following executors are needed:
|
||||||
|
|
||||||
|
* Enforce secure <<_client-credentials,Client Authentication method>> is used for the client
|
||||||
|
* Enforce <<_mtls-client-certificate-bound-tokens,Holder-of-key tokens>> are used
|
||||||
|
* Enforce <<_proof-key-for-code-exchange,Proof Key for Code Exchange (PKCE)>> is used
|
||||||
|
* Enforce secure signature algorithm for <<_client-credentials,Signed JWT client authentication (private-key-jwt)>> is used
|
||||||
|
* Enforce HTTPS redirect URI and make sure that configured redirect URI does not contain wildcards
|
||||||
|
* Enforce OIDC `request` object satisfying high security level
|
||||||
|
* Enforce Response Type of OIDC Hybrid Flow including ID Token used as _detached signature_ as described in the FAPI 1 specification, which means that ID Token returned from Authorization response won't contain user profile data
|
||||||
|
* Enforce more secure `state` and `nonce` parameters treatment for preventing CSRF
|
||||||
|
* Enforce more secure signature algorithm when client registration
|
||||||
|
|
||||||
|
[[_client_policy_profile]]
|
||||||
|
===== Profile
|
||||||
|
|
||||||
|
A profile consists of several executors, which can realize a security profile like FAPI. Profile can be configured by the Admin REST API (Admin Console) together with its executors.
|
||||||
|
Two _global profiles_ exist and they are configured in {project_name} by default with pre-configured executors compliant with the FAPI Baseline and FAPI Advanced specifications.
|
||||||
|
More details exist in the FAPI section of the link:{adapterguide_link}#_fapi-support[{adapterguide_name}].
|
||||||
|
|
||||||
|
[[_client_policy_policy]]
|
||||||
|
===== Policy
|
||||||
|
|
||||||
|
A policy consists of several conditions and profiles. The policy can be adopted to clients satisfying all conditions of this policy. The policy refers several profiles and all
|
||||||
|
executors of these profiles execute their task against the client that this policy is adopted to.
|
||||||
|
|
||||||
|
|
||||||
|
==== Configuration
|
||||||
|
|
||||||
|
Policies, profiles, conditions, executors can be configured by Admin REST API, which means also the Admin Console. To do so, there is a tab _Realm_ -> _Realm Settings_ -> _Client Policies_
|
||||||
|
, which means the administrator can have client policies per realm.
|
||||||
|
|
||||||
|
The _Global Client Profiles_ are automatically available in each realm. However there are no client policies
|
||||||
|
configured by default. This means that the administrator is always required to create any client policy if they want for example the clients of his realm to be FAPI compliant. Global
|
||||||
|
profiles cannot be updated, but the administrator can easily use them as a template and create their own profile if they want to do some slight changes in the global profile configurations.
|
||||||
|
There is JSON Editor available in the Admin Console, which simplifies the creation of new profile based on some global profile.
|
||||||
|
|
||||||
|
==== Backward Compatibility
|
||||||
|
|
||||||
|
Client Policies can replace Client Registration Policies described in the link:{adapterguide_link}#_client_registration_policies[{adapterguide_name}].
|
||||||
|
However, Client Registration Policies also still co-exist. This means that for example during a Dynamic Client Registration request to create/update a client, both client policies and
|
||||||
|
client registration policies are applied.
|
||||||
|
|
||||||
|
The current plans are for the Client Registration Policies feature to be removed and the existing client registration policies will be migrated into new client policies automatically.
|
7
server_admin/topics/threat/fapi-compliance.adoc
Normal file
7
server_admin/topics/threat/fapi-compliance.adoc
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
|
||||||
|
=== FAPI compliance
|
||||||
|
|
||||||
|
To make sure that {project_name} server will validate your client to be more secure and FAPI compliant, you can configure client policies
|
||||||
|
for the FAPI support. Details are described in the FAPI section of link:{adapterguide_link}#_fapi-support[{adapterguide_name}]. Among other things, this ensures some security best practices
|
||||||
|
described above like SSL required for clients, secure redirect URI used and more of similar best practices.
|
||||||
|
|
|
@ -36,8 +36,8 @@ The features that can be enabled and disabled are:
|
||||||
|
|
||||||
|client_policies
|
|client_policies
|
||||||
|Add client configuration policies
|
|Add client configuration policies
|
||||||
|No
|
|Yes
|
||||||
|Preview
|
|Supported
|
||||||
|
|
||||||
|docker
|
|docker
|
||||||
|Docker Registry protocol
|
|Docker Registry protocol
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
== Migration Changes
|
== Migration Changes
|
||||||
|
|
||||||
|
=== Migrating to 14.0.0
|
||||||
|
|
||||||
|
==== Client Policies Migration
|
||||||
|
|
||||||
|
The Client policies feature was a preview feature since Keycloak 12 and did not have proper support. If you tried this feature and configured some client policies or client profiles
|
||||||
|
in Keycloak 12 or Keycloak 13, then you will need to configure your client policies and client profiles again in the new version. The format of the configuration changed significantly
|
||||||
|
as it was only a preview and hence we do not provide automatic migration of client policies and client profiles created in Keycloak 12 or Keycloak 13.
|
||||||
|
|
||||||
=== Migrating to 13.0.0
|
=== Migrating to 13.0.0
|
||||||
|
|
||||||
==== Manual migration step needed
|
==== Manual migration step needed
|
||||||
|
|
Loading…
Reference in a new issue