Are you ready for OpenID Connect?
Michael Furman
Security Architect
What will we see today?
• OpenID Connect Overview
• OpenID Connect Implementation
• Keycloak Overview
• Keycloak Advanced Features
About Me
• 20+ years in software engineering
• 10+ years in application security
• 3+ years Tufin Lead Security Architect
• www.linkedin.com/in/furmanmichael/
• I like to travel, read books and listen to music.
About Tufin
• Market Leader in Security Policy Orchestration
– Established in 2005
– Main offices in Ramat-Gan and Boston
• Used by over 2,000 enterprises, including 40 Fortune 100 companies
• We are constantly growing!
www.tufin.com/careers/
OpenID Connect Protocol
• Interoperable authentication protocol
• Based on OAuth 2.0 family of specifications
• Uses REST/JSON message flows
• Design goal is “making simple things simple and complicated things possible”
http://openid.net/connect/faq/
OpenID Connect Providers
https://developers.google.com/identity/protocols/OpenIDConnect#authenticatingtheuser
• Microsoft
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code
OpenID Connect Providers
• Yahoohttps://developer.yahoo.com/oauth2/guide/openid_connect/
• PayPalhttps://developer.paypal.com/docs/integration/direct/identity/log-in-with-paypal/
• SalesForcehttps://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com
OpenID Connect Components
• Identity Provider (IDP) - offers user authentication as a service
• Relying Party (RP) - outsources its user authentication function to an IDP
• Web site
• Application
OpenID Connect Components
End User
Relying Party (RP)
Identity Provider (IDP)
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
1. Request a resource
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
2. Redirected to IDP
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
3. IDP provides a login page
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
4. User provides credentials.
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
5. IDP authenticates a user
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
6. Redirected to RP with a token ID
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
7. RP accesses IDP toget user information(via REST API)
End User
OpenID Connect Authentication Flow
Relying Party (RP)
Identity Provider (IDP)
8. RP creates a usersession and providers the resource
End User
Is OpenID Connect similar to SAML2?
Diagram from http://docs.oasis-open.org/
SAML vs OpenID Connect
• Security Assertion Markup Language (SAML)– XML-based protocol– Older protocol: 2005 (SAML2)– High rate of adoption– Designed only for Web-based applications
• OpenID Connect – JSON/REST based protocol– Newer protocol: 2014– Designed to support native apps and mobile
applications
OpenID vs OpenID Connect
• OpenID 2.0
– Uses XML and a custom message signature scheme
– Difficult to create interoperable applications
• OpenID Connect
– Uses standard JSON Web Token (JWT) data structures
– Better interoperability
OAuth 2.0 vs OpenID Connect
• OAuth 2.0 is an authorization framework– Provides message flows based on JSON and HTTP
https://oauth.net/articles/authentication/
• OpenID Connect is an authentication protocol– Uses OAuth 2.0 flows and services
– (Identity, Authentication) + OAuth 2.0 = OpenID Connect
OpenID Connect Implementation
• Certified Relying Party (RP) Libraries– Apache HTTPd server– .NET Nuget Package – Erlang– JavaScript – PHP– Python – …
http://openid.net/developers/certified/
OpenID Connect Implementation
• Certified Identity Provider (IDP) Libraries
– Gluu Server
– MITREid Connect
– Keycloak
– …
http://openid.net/developers/certified/
Keycloak
• Open source Identity and Access Management solution
http://www.keycloak.org/about.html
• Provides Single-Sign On (SSO)
• RedHat SSO is based on Keycloak
https://access.redhat.com/solutions/1472293
Keycloak IDP
• Based on WildFly server
– Server Administration
– Clustering
• Supports custom look and feel (themes)
• Supports custom authentication (providers)
• Can authenticate users with external OpenID Connect or SAML 2.0 Identity Providers
Keycloak Relying Party (RP)
• Keycloak calls them adapters• Out-of-the-box support includes
– Spring Boot– Spring Security– Node.js– …
http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/java-adapters.html
Keycloak Brute Force Protection
What is a brute force attack?
“A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works”
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Keycloak Brute Force Protection
• Preventing automated attacks:– Lock after 2 subsequent login failures
– 1 second between failures (too quick for a human)
– Lock remains active for ~5 min
• Preventing manual attacks:– Lock after 30 subsequent login failures
– Sliding window of 12 hours
– Lock remains active for ~ 45 min
Keycloak Password Policy
What is a password policy?
A Password Policy is the set of restrictions and/or requirements that a user must follow to ensure that their password is strong.
Keycloak Password Policy
Keycloak policy types include:• Digits – minimum number of digits required• Special Characters - minimum number of special
characters required• Expire Password – password expires after n days• …
http://www.keycloak.org/docs/3.2/server_admin/topics/authentication/password-policies.html
Summary
• Enforce a strong authentication scheme
• Immediate support for advanced security features
• Brute force protection
• Password policy
• Leverage future IDP enhancements
Thank you!
• Contact me
– www.linkedin.com/in/furmanmichael/