Keycloak - Identity and Access Management for Modern Applications - Second Edition by Stian Thorgersen & Pedro Igor Silva

Author:Stian Thorgersen & Pedro Igor Silva
Language: eng
Format: epub
Publisher: Packt
Published: 2023-11-15T00:00:00+00:00

Enabling TLS

Any request to and from Keycloak should be made through a secure channel. For that, you must enable HTTP over TLS, also known as HTTPS. In a nutshell, you should never expose Keycloak endpoints through plain HTTP.

Keycloak exchanges sensitive data all the time with user agents and applications. Enabling HTTPS is crucial to prevent several forms of attacks, as well as to benefit from different forms of authentication that rely on a TLS session established with the server.

The current best practice is to select a key size of at least 2,048 bits. In terms of protocol, Keycloak advertises the most secure protocols, such as TLS v1.2 and TLS v1.3. You should also be able to restrict the list of protocols to only advertise those you want by setting the https-protocols option. For more details, look at the documentation available from https://www.keycloak.org/server/enabletls#_relevant_options.

The first step to enable HTTPS is to create or reuse a Java KeyStore where the server’s private key and certificates are stored. If you are planning to deploy Keycloak in production, you probably have all the key material to enable TLS, as well as your certificates signed by a trusted Certificate Authority (CA). The next and last step is to configure the HTTPS listener to use the key material from your Java KeyStore.

In this section, you are going to use a Java KeyStore available from the GitHub repository of the book at $KC_HOME/Keycloak---Identity-and-Access-Management-for-Modern-Applications-2nd-Edition/ch9/mykeycloak.keystore. This KeyStore was built for example purposes using a self-signed certificate and you should not use it in production. Instead, you should replace it with a KeyStore using your own private key and certificate.

To enable HTTPS using a Java KeyStore, you can use the https-key-store-file to provide the path to the KeyStore file and https-key-store-password to provide its password.

For that, copy the key store from the Git repository to the conf directory:

$ cp $KC_HOME/Keycloak---Identity-and-Access-Management-for-Modern-Applications-2nd-Edition/ch9/mykeycloak.keystore $KC_HOME/conf

Then, edit the $KC_HOME/conf/keycloak.conf file and add the following options:

https-key-store-file=${kc.home.dir}/conf/mykeycloak.keystore https-key-store-password=password

Now you can start the server by running:

$ cd $KC_HOME $ bin/kc.sh start

If everything is OK, you should be able to access Keycloak at https://mykeycloak:8443, and you should be able to see that the certificate being used is a self-signed certificate.

Alternatively, you can also provide the certificate and its corresponding private key from a PEM file by using https-certificate-file and https-certificate-key-file, respectively.

In addition to enabling HTTPS, Keycloak also allows you to define TLS constraints on a per-realm basis. Basically, for each realm, you can set whether Keycloak should require HTTPS for incoming requests:

Figure 9.1: Enforcing HTTPS on a per-realm basis

By default, Keycloak is going to enforce TLS for any External requests. That means clients using the public network can only access Keycloak through HTTPS.

Ideally, you should set the Require SSL setting to All requests, so that any request to Keycloak is guaranteed to be using a secure protocol.

In this topic, you learned how to enable HTTPS and the importance of doing so. You also learned that Keycloak allows you to define HTTPS constraints on a per-realm basis.

In the next topic, we will be looking at how to configure a production-grade database.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.