Keycloak as Fun

An airhacks.fm conversation with Sebastien Blanc (@sebi2706) about: Thomson MO5, every school in France needs to have a computer, printing the name with BASIC, the REM sadness, making yellow boxes, programming Logo in French, writing "root" and "house" procedures, no procedures in BASIC, the ACSLogo for Mac OS X, Berkeley Logo (UCBLogo), the Amstrad PC1512, using AMOS programming language for writing games, writing invoicing software with 14 and AMOS, Zak McKracken and the Alien Mindbenders, Siemens Nixdorf PC, QuickBasic on Siemens Nixdorf DX2-66, the Persistence of Vision Raytracer, average calculation for school notes with QuickBasic, writing ballistic games for TI BASIC (TI 99/4A), playing Nirvana on e-guitar, starting with Java in 2002, the Rational Rose Logo Edition, learning Java EE on JOnAS, Apache Tapestry, consulting with Apache Jetspeed, writing Java EE code for 7 years, hardtimes with WebSphere, Xerces and ClassLoading, refactorings to Maven, mobile web / Grails involvements, starting at RedHat's mobile team - AeroGear, Matthias Wessendorf, Matthias loves Java Server Faces (JSF), the unified push server, starting keycloak involvement, the security challenge, the keycloak religion, keycloak ships as WildFly distribution, keycloak is a WildFly subsystem, keycloak uses hibernate for persistence, keycloak manages users with credentials, keycloak ships with ready to UI to manage users, keycloak functionality is exposed as REST services, there is a Java client available - as REST wrapper, keycloak is a "remote" proxy realm, keycloak ships with adapters for major application servers out-of-the-box, keycloak comes with SSO - different application servers can share the same session, the security realm is a "territory", in keycloak a session is optional -- a microservice can use JWT token, using OIDC tokens, keycloak comes with servlet filters for servers without adapter support, the new keycloak approach is the Keycloak Gatekeeper, Keycloak Gatekeeper is a sidecar service, apache mod_auth_openidc, keycloak is oidc compliant -- any generic OIDC library should work, the JWT creation tool JWTenizr, the "Securing JAX-RS Endpoints with JWT" screencast, the oauth flows, oauth authorization flow, implicit flow and the hybrid flow, access token has to have short lifetime, using services accounts for schedulers, keycloak has a logout backchannel - available from servlet filter, pushing a timestamp also causes logout, HttpServletRequest#logout also logouts, the killer feature: keycloak stores the private keys in one place and makes public keys available via URI, Sebastien Blanc on twitter: @sebi2706