1 of 25

You’ve got Microservices�Now Secure Them!

Steve Pousty (@TheSteve0)

Stian Thorgersen (@stian_st) - In Spirit

Red Hat - we do fun things

http://bit.ly/j1ddslides

Sample code: https://github.com/thesteve0 search for j1

2 of 25

Goals

  • Talk a little about Microservices
  • A little about centralized authentication
  • See it in Action

3 of 25

Microservices

4 of 25

5 of 25

Key Points

  • Distributed services rather than monolith
  • Best practice seems to be 1 functional area per service
  • No sneaky backdoors, everything goes through APIs and Messaging Services
  • No specific technology required!

6 of 25

Some Architectural Patterns

7 of 25

What you used to do

  • A monolith where all authentication used to happen in the app server

8 of 25

The new fancy way

  • You have an authentication service just like all the other services.
  • It should be distributed and fault tolerant
  • It should be able to scale independently
  • It should have a standard way to interact

9 of 25

So how do I get my hands on this hotness

  • Stormpath
  • Auth0
  • We are going to show an installable FOSS project from Red Hat called Keycloak
  • BUT WAIT - now also available as Red Hat SSO

10 of 25

Open Source�Identity and Access Management

by Red Hat

http://keycloak.org

11 of 25

12 of 25

Authentication

  • Keycloak deals with authentication
  • Safely store passwords
  • Two factor authentication
  • Customizable flows
  • Single Sign On

13 of 25

Protocols

  • OpenID Connect
  • SAML v2

  • Kerberos SSO Bridge

14 of 25

Clustering

  • Scalability
  • High availability
  • Based on Infinispan caches

15 of 25

Admin Console

16 of 25

Account Management

17 of 25

Client Adapters

  • Easy to use client libraries
  • JavaEE, Spring, JavaScript, NodeJS and mobile
  • More to come
  • Can also use
    • OpenID Connect Resource Provider libraries
    • SAML v2 Service Provider libraries

18 of 25

Service Provider Interfaces (SPIs)

  • Keycloak aims to be an out of the box solution
  • But! Some people have custom requirements
  • That’s why we have SPIs
    • User Store
    • User Federation
    • Authentication
    • Required Actions
    • And many more, even pluggable protocols

19 of 25

Themes

20 of 25

Identity Brokering

21 of 25

User Federation

22 of 25

Demo Time!

  • Take some microservices with different patterns
  • Show how easily we added Keycloak
  • Show the magic we can now do
  • PROFIT!!!

23 of 25

Architecture

24 of 25

https://bit.ly/j1ddgen

25 of 25

Take Aways

  • Microservices architecture brings some interesting application capabilities
  • It also adds some interesting challenges – authentication being a BIG one
  • Make your authentication just another service
  • Products/projects like Keycloak, Stormpath, and Auth0 can make it easy to bring the authentication love