KubeConRecap_nakamura.pdf

© Hitachi, Ltd. 2023. All rights reserved.
Keycloak: The Open-Source IAM for Modern Applications
日立製作所中村雄一
KubeCon EU 2023 Recap

1
自己紹介
• 2000年代： SELinuxに関するOSS活動
- 組込み向けSELinuxの開発、パフォーマンスチューニングなどをOSSコミュニティ貢献
- SELinux設定ツールのOSS公開 (SELinux Policy Editor)
- イベント登壇 (Ottawa Linux Symposium, CE Linux Forum, USENIX LISA 等)
- 学術論文執筆、SELinux書籍執筆
• 最近の活動
• The Linux Foundationのボード対応、CNCF、OpenSSFの対応
• 「OSSセキュリティ技術の会」での技術者・学術関係者の交流
• Keycloak関連ビジネスやコントリビューション活動の立ち上げ
• API管理・認証関連サービス立上げ
• Keycloakメンテナを育成
• Keycloak書籍執筆：認証と認可Keycloak入門（リックテレコム）
中村雄一＠日立製作所個人のtwitter: @yhimainu
• 今回KubeConデビュー
• Keynoteのパネル登壇
• Co-locatedイベントのOpenShift Commons Gathering登壇
• メンテナトラック登壇

2
ご紹介するセッションについて
• 4月にIncubation ProjectになりたてのKeycloakのメンテナトラック
2018年に提案開始し、5年近くかかりCNCF入り！！！
• Keycloakプロジェクトとしても、KubeCon EUで急遽メンテナトラックが持てることになったが、メンテナ
達の都合がつかず、メンテナの代理が対応することに…
• Red HatのAlexander Schwartzさんと、中村が担当
• Red Hat : Keycloakプロジェクトを立上げ、ホストしており、大多数のメンテナが所属
→ AlexanderがKeycloakの基本的な紹介
• 日立 : APIセキュリティ向けの開発を主に対応し、同僚の乗松さんがメンテナに就任
→中村がAPI認可向けの機能の紹介

3
Keycloakのできること
出典： https://kccnceu2023.sched.com/event/1LQDS/keycloak-the-open-source-iam-for-modern-applications-alexander-schwartz-red-hat-yuuichi-nakamura-hitachi
アプリの認証と認可をKeycloakに任せられる

4
デモ環境
・ Grafanaの画面へのログインをKeycloakにお任せ
・ Grafanaにログインして、Keycloakのメトリクス情報を閲覧

5
Keycloakのメトリクス取得
Metricsエンドポイントから取得可能になっている

6
Keycloakのログイン画面を通してGrafanaダッシュボードにログイン

7
さまざまな認証方法をサポート
・パスワードレス認証ができるWebAuthnをサポート
・任意の認証方式を作りこめるし、任意に組み合わせることもできる

8
最近の変更点
・大きいところは、APサーバがWildflyからQuarksがデフォルトになった、
管理コン��ールの画面が変わった点

9
今後の開発予定
・ゼロダウンタイムのアップグレードに期待
・会場からはCross-DCクラスタの加速について要望

10
中村担当パートの背景： Keycloakとの関わり
・ 2017年頃より、API公開が金融業種中心に増加、
セキュアにAPI公開するためOAuth2.0の認可サーバが必要だった
・ OAuth 2.0の認可サーバを自分たちだけで作ることは困難だった
- 大量の周辺仕様、仕様のアップデート、実装ミスは事故直結
・ OSSの認可サーバを探していたところ、「Keycloak」を選定
- 粗削りであったが、コミュニティが活発で新たな開発者を受け入れる風土
- 実装がきれいで拡張性がある
・高いセキュリティレベルを満たすための機能や顧客要望機能を開発貢献し、
自分たちのソリューションに使いやすいものにしていった
機能が充実→ さらに多くのお客様にKeycloakを使って頂ける
→フィードバックを開発貢献→ さらに機能充実→ さらに使って頂ける…の好循環に！
・メンテナも輩出 (乗松さん）
・ Keycloak CNCF入りもLinux Foundation Platinumメンバとして支援

11
Background: APIs everywhere
API is an interface for a service, currently REST API is widely used. APIs are opened
to other applications and services as a trend of digital transformation.
{ API }
Finance
Public
Industry
OpenAPI is being enforced or
strongly recommended by law in
many countries.
Services of governments and local
governments are opening APIs. APIs
are used by applications by 3rd party.
APIs are essential part of digital
services as interfaces for 3rd party
and mobile applications.
Moreover, API economy is being created
among parties in different sectors.

12
Background: Security risks in API area
Security must be considered for APIs because they are opened to the Internet. As a first
step of security, authorization is necessary. OAuth 2.0 is a de-facto standard of
authorization of APIs. However, there are risks when we use the OAuth 2.0 improperly.
A bank
3rd party
Fintech
Service
Client:
Digital
Household
Account book
Users
Services
by APIs
Account
Information
APIs secured by OAuth 2.0
Authorization
Server
ID/PW
Access
Token
ID/PW are
not kept
Resource
Server
High-level security is
required
Leakage of access token
Replay attack, CSRF attack
Example of risks
APIs handling asset of users
APIs handling personal information

13
Toward high-level API security
For high-level API security, a specification called FAPI security profile is getting attention
globally. FAPI is security profile describing secure usage of OAuth 2.0 and OpenID
Connect(OIDC).
OAuth 2.0
OpenID
Connect
(OIDC)
FAPI
Specification for authorization by access token.
It is a framework of authorization, but improper
implementation often leads to vulnerabilities.
Some secure usage of OAuth 2.0 is introduced and
OIDC can be used for authentication by ID token.
However, improper implementation is still not
restricted.
Secure usage of OAuth/OIDC is described across
the protocol flow, including usage of optional
specification of OAuth(e.g. PKCE) and lower layer
protocol (SSL/TLS) usage.

14
Requirements specified by FAPI
[Main requirements]
* Limitation of version (1.2 or later)、Limitation of
Cipher Suite、usage of RFC 6125
* Limitation of scheme(only HTTPS)、HTTP Strict
Transport Security
* Limiting signature/crypto algorithms
* Usage of state parameter for authorization request
* Usage of nonce parameter for authorization request
* Usage of Hybrid Flow, ID token is used as a signature
* Usage of Proof Key for Code Exchange(PKCE)
* Holder-of-Key Token for access token by MTLS
* s_hash,c_hash parameter for authorization response
* Usage of signed Request Object
TLS on TCP
HTTP
OAuth 2.0
OpenID Connect
1.0
FAPI

15
Sequence to call API using FAPI
Resource owner/
Browser
Client
Authorization
Server
Resource
Server
redirect
redirect
* Authorization request is not tampered/replayed
* Legitimate client generated the authorization request
* User is authenticated to an appropriate Level of
Assurance
* Response is not tampered/replayed
* Legitimate server generated the response
* Sender of the request is the client who received
authorization response
* Sender of the token is the client who received the
token in the token request
[Security checks specified in FAPI]
2. User Authentication,
Consent
3. Authorization Response
5. API call
(with access token)
4. Token Request, Response
（Client Authentication)
[Step]
1. Authorization Request
* Client is authenticated by appropriate way(not by
client id/secret)
token

16
Sequence to call API using FAPI
redirect
redirect
• Each HTTP request/response belongs to one
logical session
cookie,
state/nonce
state/nonce
cookie or
query parameter
cookie or
query parameter
state, code
cookie,
state, code
code
id_token(nonce)
Resource owner/
Browser
Client
Authorization
Server
Resource
Server
2. User Authentication,
Consent
3. Authorization Response
5. API call
(with access token)
4. Token Request, Response
（Client Authentication)
[Step]
1. Authorization Request
[Security checks specified in FAPI
among steps ]

17
Various API security profiles
◼ Security profiles based on FAPI, specified by organizations in various countries
[UK : OpenBanking]
- OpenBanking Financial Grade API (FAPI) Profile
- OpenBanking CIBA Profile
[Australia : Consumer Data Right (CDR)]
- Consumer Data Right Security Profile
[Brazil : Open Banking Brasil]
- Open Banking Brasil Financial-grade API Security Profile
- Open Banking Brasil Financial-grade API Dynamic Client Registration
[Kingdom of Saudi Arabia: (KSA) Open Banking]
◼ FAPI 1.0 family : specified by OpenID Foundation
- Financial-grade API Security Profile 1.0 - Part 1: Baseline
- Financial-grade API Security Profile 1.0 - Part 2: Advanced
- Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
- Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA)
• There are various security profiles related to FAPI, they are not stable, often updated.
• Conformance tests and certification program are provided by OpenID Foundation,
To prove compliance, it is important to pass conformance tests.

18
Collaboration: FAPI-SIG in Keycloak community
It is difficult to implement security profiles ...
• There are a lot of specifications to support security profiles.
• Specifications and conformance tests are often updated.
• Configuring Keycloak for security profiles is not easy.
Some people were interested in security profiles,
to accelerate collaboration FAPI-SIG was launched in Keycloak community in Aug 2020.
My colleague Takashi Norimatsu is leading.
• github - keycloak/kc-sig-fapi - https://github.com/keycloak/kc-sig-fapi
• Bi-weekly or Monthly webconf
Everyone can join and contribute !
補足：FAPI-SIGは、2023年6月よりOAuth-SIGに改名します

19
Achievements of FAPI-SIG
In FAPI-SIG, development of features required for conformance to security profiles has been
promoted.
<keycloak 13>
• Client Initiated Backchannel Authentication (CIBA) poll mode
<keycloak 14>
• FAPI 1.0 Baseline Security Profile
• FAPI 1.0 Advanced Security Profile
• Client Policies (Configuration framework)
<keycloak 15>
• Client Initiated Backchannel Authentication (CIBA) ping mode
• FAPI Client Initiated Backchannel Authentication Profile (FAPI-CIBA)
• FAPI JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
• OAuth 2.0 Pushed Authorization Requests (PAR)
• Brazil : Open Banking Brasil Financial-grade API Security Profile

20
Achievements of FAPI-SIG
Results are also available at https://github.com/keycloak/kc-sig-fapi
• Recent Keycloak can pass major conformance tests.
• In order to prove conformance to security profiles, it is effective to pass conformance tests provided from
OpenID Foundation. However, setting up environment and running tests in every version up of Keycloak is
very hard work.We developed conformance test execution environment for Keycloak using Docker containers.

21
Contribution is welcomed
• API security profiles are evolving, Keycloak also should catch up the latest
standards.
• OIDC4IDA, FAPI 2.0, OAuth 2.1 etc…
• If you are interested in API security profiles for Keycloak, let’s join FAPI-SIG
meeting. Meeting schedule is announced in Keycloak-dev mailing list.
https://groups.google.com/forum/#!topic/keycloak-dev/Ck_1i5LHFrE
補足：
KeycloakのslackチャンネルもCNCFにできました
https://www.keycloak.org/community より引用↓
Join #keycloak, or #keycloak-dev on Slack for design discussions, or
questions by creating an account at https://slack.cncf.io/

22
会場の反応＆個人の感想
・ 300人ほど入りそうな会場はほぼ満席。セッション終了後も残って議論が盛り上がった
・ユーザーとの接点を増やすべきという要望が多いように見受けられた
- ユースケースの情報交換
- ドキュメンテーションの充実
FAPIについても要望があった。確かに、分かる人にしか分からない状況。
・ Keycloakコミュニティは、「開発者コミュニティ」は順調に拡大しているが、
ユーザーコミュニティについては、まだまだであり、
充実させるよう働きかけて＆貢献していきたい
・ KubeCon NAでは、ブース��展や前日のProject meetingも実施したい
・リアルイベント重要

23
Trademarks
• OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other
countries.
• Red Hat is trademark of Red Hat, Inc., registered in the United States and other countries.
• Other brand names and product names used in this material are trademarks, registered trademarks,
or trade names of their respective holders.

KubeConRecap_nakamura.pdf

Related slideshows

Recommended for you

Recommended for you

Recommended for you

Recommended for you

Recommended for you

Recommended for you

More Related Content

What's hot

What's hot (20)

Similar to KubeConRecap_nakamura.pdf

Similar to KubeConRecap_nakamura.pdf (20)

More from Hitachi, Ltd. OSS Solution Center.

More from Hitachi, Ltd. OSS Solution Center. (20)

Recently uploaded

Recently uploaded (20)

KubeConRecap_nakamura.pdf