RedHat supported version of Keycloak.
Authorization Basic Base64(user:password)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0...iaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Google, Facebook, ...
Tested and feedback
Complex to integrate
- post:
url: "/auth/realms/{{ realm }}/protocol/openid-connect/token"
body: 'grant_type=client_credentials&
client_id={{ cliendId }}&
client_secret={{ secret }}'
capture:
- json: "$.access_token"
- json: "$.refresh_token"
- post:
url: "/auth/realms/{{ realm }}/protocol/openid-connect/userinfo"
headers:
"Authorization": "Bearer {{ access_token }}"
grant_type: password
| | Authorization code | Client credentials | Resource owner
|--- | --- | --- | --- |Web App (Template) | | | |SPA | | | |Backend (API) | | | |Mobile | | | |CLI | | |
| | Authorization code | Client credentials | Resource owner
|--- | --- | --- | --- |Web App (Template) | confidential | | |SPA | | | |Backend (API) | | | |Mobile | | | |CLI | | |
| | Authorization code | Client credentials | Resource owner
|--- | --- | --- | --- |Web App (Template) | confidential | | |SPA | public | | |Backend (API) | | | |Mobile | | | |CLI | | |
| | Authorization code | Client credentials | Resource owner
|--- | --- | --- | --- |Web App (Template) | confidential | | |SPA | public | | |Backend (API) | | API Key | |Mobile | | | |CLI | | |
| | Authorization code | Client credentials | Resource owner
|--- | --- | --- | --- |Web App (Template) | confidential | | |SPA | public | | |Backend (API) | | API Key | |Mobile | confidential | | |CLI | | |
| | Authorization code | Client credentials | Resource owner
|--- | --- | --- | --- |Web App (Template) | confidential | | |SPA | public | | |Backend (API) | | API Key | |Mobile | confidential | | |CLI | public | | compatibility
use ONLY OIDC standard endpoints
(exclude Keycloak admin API use)
define UNIQUE responsibility and UNIQUE owner for data
(unique user reference)
| | Keycloak | Application |
|--- | --- | --- | |New microservice (light) | users,roles,claims | (1) | |New microservice (complex) | | | |Legacy application | | |
| | Keycloak | Application |
|--- | --- | --- | |New microservice (light) | users,roles,claims | (1) | |New microservice (complex) | (2) | users,roles,claims | |Legacy application | (2) | users,roles,claims |
split public and private resources
(Front office for administration and another for customers = 2 APIs)
One realm by security strategy
One application container by realm
One style guide by realm
(Unique corporate identity for login and email)
Clean and easy users management
Developer platform (docker image + dev shared profile)
Business domains and trademarks isolation
Limit account duplication