Roles defined in OAuth 2.0:
- Resource owner
- Resource server
- Authorization server
Which flow to use:
- Client Credentials flow if the application is accessing the resource on behalf of itself (the application is the resource owner)
- Device flow if the application is running on a device without a browser or is input-constrained (i.e. smart TV)
- Otherwise Authorization Code flow.
Do not use Implicit flow or Resource Owner Password Credentials flow at all.
Strategies that can be used to limit access for a specific access token:
To verify an access token:
- Retrieve public key from JWKS endpoint
- Verify the signature
- Verify that token is not expired
- Verify the issuer, audience and type of token
- Verify any other claims that your application cares about
Internal applications (first-party) are those owned byt the enterprise. It may be self-hosted of SaaS. No need for user’s consent.
External applications (third-party) should require user’s consent.
Possible architectures of an application we are securing:
- Server side
- SPA (Single Page Application) with dedicated REST API under the same domain.
- SPA with intermediary API under the same domain (which it turn may call external APIs)
- SPA with external API
Securing native and mobile applications. How to return authorization code to the application:
- Claimed HTTPS scheme. Native application claims scheme like https://my.app.org. Such URL then open in the app instead of a browser.
- Custom URI scheme. Such request is sent (open) by application. Example: org.app.my://oauth2/provider-name .
- Loopback interface. Application opens temporary web server on random port,i.e. https://127.0.0.1:2345
- Special redirect URI, i.e. urn:ietf:wg:oauth:2.0:oob - authorization code is displayed by Keycloak for manual copy & paste.
Example authorization strategies:
- role-based access control (RBAC). Keycloak has realm and client-level roles.
- group-based access control (GBAC)
- OAuth2 scopes
- attribute-based access control (ABAC)
Keycloak cal act as a cenralized authorization service through a functionality called Authorization Services.
For production set up:
- properties.adminURL (make it private URL)
- production database (encryption in transit and at rest)
- possibly clustering and load balancing
- password policy
- enable refresh token rotation
- use ECDSA (Elliptic Curve Digital Signature Algorithm) for signatures instead of RSA
Keycloak uses Apache Freemaker for templates.