België
Nederland
France
Deutschland
United Kingdom
Australia
日本
International
Mexico
Remote working: that's how it's done here
In these exceptional times of seclusion and care, all businesses are looking for new ways to keep in touch.
Software engineer explains: Keycloak
Each month we interview a software engineer about an application or tool Sofico uses daily. This month, Wim Hofman (picture below) talks to us about Keycloak.
What is Keycloak?
Keycloak is an identity and access management solution aimed at modern applications and allows Sofico through this Java application to secure services and applications.
Sofico uses the OpenID Connect protocol as implemented by Keycloak. This acts as an identity provider.
Why do we use Keycloak?
Authentication and authorization are required in most modern solutions, whether it is a web application, a REST API, or other types of services that involve the secure handling of data and users. Implementing this can be incredibly time-consuming and there are many mistakes that can be made along the way.
This is where Keycloak comes in, an open-source solution that can solve challenges such as:
- Authentication of users and processes.
- Authorize access to resources exposed in the public domain.
- Adding additional information about a user from external resources, such as organization membership, roles, etc...
With this, we can provide fine-grained authorization to our services, without our applications having to deal with login forms, authenticating users, and storing users.
It allows us to use standard protocols and provides support for OpenID Connect, OAuth 2.0 (Open Authentication), and SAML (Security Assertion Markup Language).
How do we use Keycloak?
Sofico uses the OpenID Connect protocol as implemented by Keycloak. This acts as an identity provider.
When trying to access, for example, one of the MMP (Miles Microservices Platform) applications or as a third party the public available APIs (Application Programming Interface) we need to verify if the user has access and his roles.
When a user has no valid access token while trying to access the MMP platform, redirection to a login page will occur. On this page, the user can provide credentials. When all credential checks pass, the user gets an access token and is redirected to the requested MMP web application.
From this web application, the access token is used as a header to call the needed APIs to render the application. The token itself is then verified by the API gateway (Tyk). If the user has access to the requested API, the request is forwarded to the API itself.
WebAuthn is resistant to active man-int-the-middle-attacks. It can use cryptographic hardware (e.g., a USB stick used as a security key) or biometric sensors.
Multi-Factor Authentication
Recently we also developed Multi-Factor Authentication as required by some of our customers. With MFA an additional authentication step is introduced. A user must fill in an additional code received by E-mail or SMS. Also, the use of an authenticator app is supported.
Keycloak also has the flexibility to use IAM (Identity and Access Management) applications from our customers. One of these examples is LDAP (Lightweight Directory Access Protocol).
What's next?
As a next step, we are looking into integrating WebAuthn (Web Authentication) which is a new upcoming standard published by the World Wide Web Consortium (W3C). WebAuthn is resistant to active man-int-the-middle-attacks. It can use cryptographic hardware (e.g., a USB stick used as a security key) or even biometric sensors such as fingerprint readers, iris scanners, and voice recognition (identify by the unique characteristics of your voice).
Tags
More life at Sofico
Sofico gains Investors in People Silver accreditation
Sofico has been awarded Investors in People Silver level accreditation, thanks to initiatives rolled out as part of the companies’ ‘Learning Organization’...
How's the weather?
Since a couple of months, we started at Sofico with our ‘Sofico - How is the weather', a weekly meetup between colleagues.
"I SWOT my new job”
After 21 years working for BMW Financial Services, Bert Vanden Bergh decided it was time for a new challenge. “I had to step outside my comfort zone in...