►
From YouTube: OpenShift Commons Briefing #129: KeyCloak for Cloud Natives with Boleslaw Dawidowicz (Red Hat)
Description
Keycloak (https://keycloak.org) is an Open Source Identity and Access Management Solution for today’s Cloud Native Applications and Services. It provides easy ways to incorporate token based security (OAuth2/OpenID Connect) into your applications. In this briefing, Stian and Boleslaw demonstrate how Keycloak can be leveraged to securely invoke services deployed on Istio Service Mesh. You will also learn about current directions of development on consuming Keycloak within or integrating it with OpenShift.
A
Hello,
everybody
and
welcome
to
another
open
ship
Commons
briefing
today
presentation
from
some
of
the
key
numbers
at
the
keycode
community
on
key
clubs
or
about
natives
and
making
forward
to
hearing
this,
because
keeper
is
one
of
my
projects
and
picking
the
secrets
in
the
open,
shipped
ecosystem
and
is
there's
wider
airplay.
So
without
any
further
ado
I'm
going
to
let
both
on
Stan
introduce
themselves,
the
format
will
be
asked.
Questions
in
the
chat
will
fine
answer
them
in
the
chat,
otherwise,
we'll
have
live
Q&A
at
the
end.
B
B
B
So,
first
of
all
the
reason
we
are
doing
this
presentation
is:
we
want
to
help
you
to
be
called
native
and
I'll
explain
why
we
believe
we
can
do
so.
So
recently,
we've
done
a
committee
survey.
We
asked
our
community
how
there
is
in
Key
Club.
We
asked
for
their
favorite
features.
We
asked
for
feedback.
Where
should
we
improve?
We
had
a
pretty
good
turnout
turn
around.
We
hit
nearly
a
100
responses
within
like
a
week
or
two,
and
one
of
the
surprising
facts
was
how
people
deployed
cloak.
B
So
peacock
is
a
Java
middleware
project
and
traditionally
the
consumption
method
for
Java
project
is
just
zip
distribution,
because
it's
a
JVM
based
solution,
you
just
unzip
and
run
with
Java,
but
actually
docker,
is
on
a
good
path
to
surpass
or
zip
usage
and
combining
other
shift
key
parameters
and
doctor
and
AWS
way.
Over
half
of
our
deployments
are
actually
cloud
based.
It
seems
so
we
do
believe
we
actually
are
a
good
solution
and
quite
a
good
fit
in
the
cosmetic
world,
because
we
see
that
Kiko
is
being
used
in
such
scenarios
and
environments
heavily.
B
Now.
What
is
keko
keko
first
of
all
is
an
open
source
project.
It
is
an
identity
and
I
assessment
access
management
solution
and
it
is
a
project,
a
solution
designed
for
modern
applications,
API
and
services
called
native,
mainly
and
on
a
very
high
level.
You
connect
your
application
with
key
clock
using
some
common
standards
like
OpenID
connect
or
you
ma,
which
are
both
all
based
or
Samuel,
and
then
the
Aki
cloak
can
integrate
with
a
lot
of
other
solutions,
and
your
applications
can
gain
certain
token
based
security
capabilities.
B
So
with
with
easy
integration
with
Kiko
hope,
you
gain
a
lot
of
capabilities.
You
don't
need
to
implement
yourself,
so
you
won't
make
any
mistakes
implementing
them,
so
login
screens
and
registration
for
application,
various
social
engineering
authentication
methods.
You
can
easily
configure
a
setup
screen
for
user
user
self
management
by
a
set
of
items
and
management
capabilities
in
terms
of
users
who
are
also
group
management,
session
management.
So,
for
example,
single
login
or
logout
of
number
of
applications
for
clients
which
are
authenticated
with
certain
identity.
B
B
C
Okay,
good
so
I
hope.
That
was
what
the
demo
gods
had
installed
for
me
for
today,
and
everything
else
comes
smoothly
right.
So
what
I'm
going
to
show
is
I'm
going
to
deploy
Kiko
Khan
to
open,
shipped
and
I'm,
also
going
to
deploy
an
odious
application
or
service
and
I'm
gonna
deploy
a
nice
Mel
file
application
I'm
going
to
show
how
these
can
easily
be
secured.
C
They
have
been
username
and
password
that
I
can
remember
for
logging
in
and
showing
the
admin
console
they
talk,
and
that
is
pretty
much
it
so
now,
I
have
kick
up
being
deployed
and
while
we're
waiting
for
that
to
start
I'm
going
to
deploy
the
node
yes
service,
that
we're
going
to
be
securing
and
I'm
going
to
be
using
the
node.
Yes
as
to
why
so
that
I
can
get
my
code
easily
open
to
open
shift,
so
I'll
give
it
a
name
and
I'll
paste.
C
C
And
then
I'll
go
on
create
this,
so,
while
we're
waiting
for
that
we're
going
to
go
off
and
we're
going
to
deploy
this
html5
application,
I've
chosen
to
wrap
this
up
as
a
PHP,
because
that
lets
me
inject
configuration
values
into
the
application
as
I
need
to
configure
where
the
service
is
deployed
and
also
where
people
Park
pricks.
In
my
code,
therefore,
this
one
and
again
I
want
to
be
using
the
secure
route
and
now
I
need
to
give
it.
The
pickle,
URL
and
I
also
want
to
give
it
the
URL
for
the
service.
C
And
then
we'll
create
risk
okay.
So
now
we
have
all
our
three
things
deployed
into
our
open,
shipped
project,
but
let's
go
and
take
a
look
at
the
key
code.
Admin
console
so
we're
getting
a
warning
here
for
because
we're
using
sound
science
certificates,
which
is
final
receiver
development,
but
in
production
you
would
use
proper
certificates.
Elvis
me.
C
C
So
what
that
bid
is
that
it
created
this
round
called
demo,
and
then
it
created
a
kind,
and
this
is
what's
needed
for
people
to
be
aware
of
your
application,
because
an
application
needs
to
be
registered.
We
keep
it
all
to
be
able
to
do
a
login
and
I
also
needs
to
have
the
URL
of
the
application
so
that
it
knows
that
it
doesn't
redirect
or
any
unknown
or
untrusted
applications.
C
Now
we
can
go
back
to
the
application
and
we
see
it's
a
very
simple.
It's
not
five
application
and
it
has
a
login
button
behind
this
login
button.
It
basically
just
calls
the
key
clock
JavaScript
the
doctor
and
just
calls
login
on
that.
That's
that's
all.
It
has
to
do
to
be
able
to
provide
login
capabilities
to
this
application.
C
C
So
now
logged
in
and
the
application
is
able
to
pull
from
the
token
that
it
gets
me.
Some
details
about
Who
I
am
in
this
case.
Just
for
simplicity
is
providing
my
username,
but
the
application
has
access
to
all
the
details
about
me
as
well,
and
now
I
can
invoke
this
service,
so
I
have
a
public
endpoint
that
doesn't
need
any
security
and
I
have
a
secured
endpoint.
C
The
needs
a
access
token
that
the
application
of
tantrum
phone
key
code
that
contains
this
user
role,
but
it
also
has
an
admin
endpoint
which
I'm
not
currently
allowed
to
evolve,
and
that's
because
my
user
hasn't
been
given
this
role
so
I
can
always
manage
all
my
users
nicely
to
keep
up
so
to
be
able
to
make
myself
into
an
admin.
All
I
need
to
do
is
go
to
the
role
mappings
and
I'll.
Add
this
role?
Do
my
user?
C
If
I
now
go
back
to
the
application,
I'll
refresh
the
page,
so
that
I
get
a
new
token.
That
now
includes
this
admin
role.
I
can
now
successfully
invoke
the
amendment,
or
we
can
have
a
very
quick
look
at
seeing
how
little
changes
is
needed
to
the
application
and
services
to
be
able
to
use
the
key
torque
adapters.
So
we
have
a
very
simple
Nordia.
C
C
In
this
case,
it's
injecting
that
from
the
environment
variable
and
I
can
see
how
easy
it
is
from
the
know,
Diaz
code
to
be
able
to
actually
secure
the
end
points
so
to
be
able
to
start
using
keto
colonies
to
do
is
just
initialize
the
adapter,
and
then
you
can
protect
the
end
points
that
in
this
case,
you
can
see
that
the
service
life
secured
end
point
is
using
those
keep
up
protect
to
require
the
user
role.
To
be
able
to
invoke
that
particular
Empire.
C
C
C
In
this
case,
we're
going
to
use,
get
tour
and
all
I
need
to
do
is
to
go
to
get
to
and
I
need
to
create
a
client
configuration
in
github
and
then
I
need
to
get
the
client
ID
in
a
client,
secret
and
I've
had
Paquito
and
now
it's
all
I
need
to
do
to
be
able
to
log
in
by
a
github
to
my
Applications.
Now
you
can
see
now
if
I
go
back
and
I
log
in
again,
I
now
have
this
link
to
be
able
to
log
in
via
github.
C
Bin
Laden
and
a
user
has
been
created
on
behalf
of
my
kids
abuser
inside
Quito,
so
I
can
have
a
look
at
that.
I
can
now
see
that
in
the
users
we
now
have
two
users,
and
we
can
see
that
this
second
user
that
was
created
has
a
link
to
get
up
and
it
provides
the
details
about
what
it
took.
Account
is
linked
to
other
things
that
we
can
do
through
the
admin
console
is
that
we
can
link
to
external
users,
storage
providers.
C
Taking
a
look
at
a
couple
of
more
things
before
we
move
on
with
the
presentation
we
have
ability
to
customize
the
tent
occation
froze
completely
and
again,
you
can
customize
your
tent
occasion.
Flows
in
the
t-talk
server,
and
there
is
no
change,
is
needed
to
your
applications.
To
now
allow
users
to
log
in
and
different
fashion.
C
So,
for
instance,
if
we
wanted
users
to
be
able
to
self
register
what
we
want
users
to
be
able
to
recover
their
passwords
if
they
lose
these
or
we
want
users
to
be
able
to
keep
their
sessions
when
they
restart
their
browsers
or
confuse
them.
These
are
just
a
a
toggle
away
and
now,
when
I
log
into
the
application
again,
I
now
have
more
features
available
to
the
log
in
to
the
application,
obviously
all
without
having
to
read
the
pilot
application
and
make
any
changes
to
my
application.
C
C
These
can
be
LDAP
directory
active
directories
or
it
could
be
a
custom
relational
data,
so
Tito
has
always
been
built
with
scale
in
mind
and
clustering.
We've
had
clustering
from
from
day
one
so
within
a
single
data
center,
and
we
have
recently
added
support
to
be
able
to
cluster
across
multiple
data
centers.
This
is
a
feature
that's
currently
in
tech
preview
and
we're
hoping
to
to
polish
this
and
make
it
easier
to
set
up
whether
the
main
issue
that
we're
having
today
is
that
the
setup
can
be
a
little
bit
complicated.
C
So
peacock
is
lightweight
and
it's
easy
to
start
using,
obviously
we're
aiming
to
provide
an
out-of-the-box
experience
with
minimal
amount
of
steps
to
to
get
it
up
and
running.
It
is
based
on
the
JVM,
so
it's
portable
and
there's
no
hard
system
dependencies,
which
makes
it
easy
to
get
it
up
and
running.
It's
also
lightweight,
so
you
can
run
it
on
your
laptop
alongside
all
of
your
development
tools,
when
you
do.
C
Kieko
is
built
on
top
of
an
application
server
and
we've
chosen
to
use
wildfly,
which,
obviously,
the
application
service
then
layered
on
top
of
the
java
virtual
machine.
The
reasoning
for
this
is
that
we
wanted
to
provide
a
make
creycrey
code
into
an
enterprise
level
IDP,
and
we
wanted
to
have
clustering
aspects
and
transactions
and
other
enterprise
level
features
without
having
to
spend
too
much
time
wiring
this
and
doing
this
logic
ourselves.
C
Peacock
itself
is
layered
on
top
a
thin
core.
The
core
does
basically
just
bootstrapping
and
wiring.
It
does
a
bit
of
configuration
and
it
has
a
number
of
SP
eyes.
So
SP
eyes
is
a
API
that
allows
you
to
to
deploy
your
own
custom
providers
and
that
lets
you
customize
any
aspect
of
Pico
defenses.
We
have
SP
eyes
the
logging
protocol
for
storage
for
identification,
identity
providers,
events
and
we
have
a
total
of
73
SBI.
So,
basically,
all
aspects
of
keep
log
is
made
as
a
pluggable
architecture
and
a
highly
customizable
architecture.
C
You
taking
a
look
at
how
we
use
these
SBI's
we're.
Looking
at
how
we
deal
with
storage,
we
decided
to
only
support
relational
databases
and
not
have
alternatives
like
no
sequel
or
file
based
systems.
That's
because
we
would
want
to
prefer
to
focus
on
one
implementation
rather
than
thin
out
and
and
try
to
support.
Everything
and
relational
databases
was
obvious
from
the
fact
that
it's
enterprise
grade
and
obviously
has
a
high
quality
transaction
support.
C
So
we
have
one
layer
that
implements
the
database,
which
stores
all
the
realms
the
users
and
times,
and
obviously
this
is
a
pluggable
thing
that
you
plug
into
the
key
code
and
then,
on
top
of
this,
it's
a
caching
layer
which
uses
infinite
ban
and
that
talks
to
the
database
layer
and
this
caching
layer.
This
is
not
linked.
C
Hard
link
to
the
fact
that
it's
a
database
underneath
so
if
we
were
to
want
to
support
the
different
type
of
storage
in
the
future,
we
can
still
keep
the
cash
and
layer
intact
or
we
could
change
the
caching
layer
and
keep
the
database
layer
intact.
So
everything
is
built
with
being
probable
and
being
modifiable
in
the
future.
C
If
we
need
so,
we
can
look
at
one
example,
more
example
for
how
SBI's
are
used,
so
we
have
login
protocol,
which
is
an
SBI
and
we've
implemented
the
open,
ID
connect
and
the
sam'l
to
providers
for
this
login
protocol.
There's
also
community
maintain
protocols
for
4ws,
Federation
and
caste,
and
these
are
all
from
the
poly
ball
directly
to
people
without
having
to
fork
or
change
the
underlying
code
base
in
any
way.
A
B
So
kick
log
as
a
project
started
around
early
2014.
The
origins
of
these
are
quite
interesting,
so
there
were
two
prototypes.
One
was
implemented
by
CM
with
us
here,
my
one
by
Bill
Berg,
one
being
around
this
easy
security
for
Western
points
and
the
other
providing
security
as
a
service
for
applications,
and
when
we
put
together
it
as
a
project
and
realized
it
around
June.
Actually,
we
had
a
very
fast
like
skyrocketing
adoption.
B
The
reason
behind
it
we
believe
was
like
twofold.
One
was
that
we
had
a
very
easy
to
use.
Ui
and
people
were
really
able
to
pick
it
up
and
secure
their
applications
very
quickly
in
it.
The
other
was
because
they
were
pretty
focused
prototypes,
pretty
complete
ones
like
very
early
on.
We
had
a
very
complete
and
usable
software,
and
actually
later
on,
we
were
very
surprised
with
people
going
into
production
with
early
alphas
of
optical.
B
Okay,
we
had
pretty
nice,
kick
up,
statistics
growing
all
the
time
and
the
good
part
about
key
code
is
even
though
there
is
a
strong
group
full
of
Red
Hat
employees
working
on
it.
All
of
the
discussions
regarding
design
and
development
are
happening
in
public
mailing
lists
and
we
have
a
healthy
traffic
on
dos,
both
from
people
from
Red
Hat
and
from
people
external
threat,
health.
So
it's
it's
a
very
healthy
and
vibrant
community.
B
B
First,
we
realize
it
like
every
six
weeks
now
we
are
trying
to
make
a
coke
release
every
three
weeks,
so
we
really
try
to
be
very
active,
pushing
out
what
we
do.
So,
if
you
see
a
numbers
for
recent
releases
that
that's
a
pretty
strong
user
base,
but
we
did
a
query
on
people
who
contribute
to
github.
So
those
are
the
company
names
obtained
from
github
profiles
of
the
key
kilometers
as
I.
As
you
can
see,
those
people
contributed
to
click.
B
Log
are
related,
pretty
recognizable
and
quite
impressive
list
of
of
organizations
at
Red,
Hat's
drop
over
20
people
working
full
time
on
a
project
and
yeah.
There
are
a
lot
of
other
people
contributing
from
Red
Hat,
so
I'll
say
that
the
number
of
people
engaged
in
from
only
Red
Hat
achieve
an
even
greater.
B
As
I
mentioned
at
the
beginning,
recently,
we've
done
a
survey
in
our
community.
We
asked
number
of
questions,
but
one
of
them
was
re
interested
in
being
a
public
reference,
and
those
are
the
organization
names
people
filled
in
into
the
survey
and
for
which
they
tick
the
box
of
agreeing
to
be
a
public
reference.
So,
as
you
can
see,
it's
a
pretty
it's
a
pretty
long
list
and
also
quite
a
few
fairly
recognizable
names
here.
B
Another
thing
we
are
very
proud
of
as
a
project
is
so
you
know
the
world
in
developer
world.
There
is
a
pretty
known
company
called
Tov
works
and
they
are
famous
for
their
annual
technology
Rayder,
where
they
suggest
projects
to
either
assess
trial
or
like
garland
production
with,
and
we
are
considered
as
a
project
to
trial
by
them
which
actually
it's
by
their
standards.
It's
pretty
good
mark
and
I
highlighted
the
the
quote.
So
we
are
an
open
source,
identity
and
access,
miraculous
solution.
B
There
are
a
number
of
other
projects
in
this
space.
It's
that's
changing
all
the
time.
I
will
not
go
into
detailed
comparison
and
I,
don't
want
to
say
anything
kind
of
like
one-to-one
comparison
because
to
have
a
third
project
project
comparison.
It
needs
to
be
detailed.
We
don't
have
time
for
it,
but
I
do
want
to
mention
few
things
where
we
think
we
do
stand
out.
Like
I
mentioned,
we
have
a
very
strong
and
healthy
and
open
community
with
high
number
of
active
contributors
from
outside.
We
try
to
maintain
focus.
B
Although
it's
very
interesting,
because
we
also
desire
to
be
highly
customizable
and
pluggable,
like
Stan,
explained
with
the
SD
eyes,
and
if
you
Google,
Tasks
or
double
as
fat
and
Kiko,
you
will
find
plugins,
which
are
actively
maintained,
like
you
can
see
comments
from
like
this
or
last
week
in
in
those
repositories
which
are
fairly
good
documented,
and
you
can
clearly
see
people
are
actively
maintaining
it,
probably
using
them
in
production,
and
we
really.
This
makes
us
really
happy
and
we
try
to
make
such
bunions
instead
of
extensions
customization
as
easy
as
possible.
B
B
So
just
a
quick
highlights
in
the
roadmap:
we
invest
in
an
external
adapter,
so
we
want
to
have
a
capability
to
secure
applications
without
altering
them
at
all,
so
fronting
them
with
our
adapter
I.
Should
that's
another
great
example,
because
someone
develop
such
adapter
in
the
community
and
right
now
we
are
working
on
refactoring
this
codebase
and
migrating
just
plugging
into
it
too
peacock
repository.
B
A
Kiko
org
is
where
you
can
find
all
the
documentation
on
this.
Someone
was
just
asking
where
the
literature
was
and
they've
got
a
pretty
good,
robust
site
there,
and
someone
was
also
asking
if
this
was
open
ships
specific
to
which
I
just
answered.
No,
it
can
run
anywhere
and
I.
Just
maybe
you
want
to
make
that
clear.
B
So
we
are
not
offensive
specific.
We
have,
we
have.
We
can
run
on
premise,
so
we
are
JVM
based
solution,
still
a
little
app
that
begins
its
download.
This
is
it
and
you
can
run
it
with
JVM.
You
can
run
it
locally
as
a
docker
image,
or
you
can
deploy
this
docker
image
near
the
templates
into
open
shifts
or
into
kubernetes.
The
both
mini
shift
and
media
could
wouldn't
work,
and
there
are
examples
how
to
do
it.
A
You
also
talked
a
lot
about
community
integration.
Plugins
is
there,
can
you
pop
over
to
maybe
a
repo
where
they
all
are
hiding?
This?
Is
that
organized
in
any
way,
shape
or
fashion
like
a
docker
registry,
or
something
like
that
where
people
can
easily
find
them
or
are
they
scattered
throughout
github?
That's.
A
B
It's
so
sometimes
we
actually
even
taken
by
surprise
how
many
got
such
plugins
integration
so
recently
I
saw
that
we
there
is
a
hound,
charts,
incubator
and
do
a
number
of
sets.
You
know
there
is
a
dotnet
integration
protocol,
so
browsing
staff
like
searching
for
Key
Club
on
github,
regularly
gives
a
lot
of
pleasant
surprises
for
us,
but
it's
a
pretty
vibrance
I
community
on
this
side
was.
C
I
gonna
have
two
more
examples
for
community
contributions,
so
we
have
the
so.
The
go
bears
proxy
that
we
are
considering
adding
is
that
today
is
fully
maintained
by
a
community
member
and
he's
willing
to
hand
that
over
to
us,
we
can
put
on
our
main
repositories
and
then
we
also
have
a
Japanese
Kiko
community
and
they
have
actually
taken
our
documentation
and
translated
to
japanese
whoa.
A
That's
a
compliment
if
any
anything
is
getting
your
documentation
translated
by
the
community
is
a
definite
complement
to
the
efforts
that
you're
doing
so
so
again.
If
people
want
to
contribute
the
best
place
to
hook
up
with
you
guys
is
Key,
Club,
org,
correct
or
to
log
an
issue
in
the
github
repo
and
then
there's
some
mailing
list
that
you
mentioned
earlier
as
well.
A
B
Christmas
about
the
the
date
of
the
release
of
people
for
a
tow,
so
because
there
were
that,
because
released
every
few
weeks
recently,
the
four
little
final
should
be
released
next
week.
You.
A
B
We
plan
to
start
so
what's
happening,
usually
is
when,
when
someone
on
our
team
is
working
on
a
future
insures,
a
design
on
the
mailing
list
and
the
discussion
post
on
harassing
way
and
the
same,
we
actually
usually
turned
out
that
the
peers,
if
they
come
without
purely
getting
in
touch
on
the
mailing
list
with
wider
community,
but
we
actually
do
consider
starting
to
have
some
kind
of
hangouts
being
more
open
and
public
and
recording
and
publishing
them
on
also
design
topics.
I,
don't
still
to
be
Donna.
I'm.
A
Always
happy
to
post
yet
another
special
interest
group
and
open
ship
Commons,
and
if
you
want
to
start
up
something
around
identity,
management
and
authorization
or
whatever
you
want
to
call
it.
Let
me
know:
hook
you
up
with
calendar
and
everything
else,
but
more
you
do
it
in
the
open
that
it
does
and
again,
because
the
question
around
openshift
this
isn't
a
purely
open
shift
place.
So
it
may
be
something
that
needs
a
wider,
a
wider
audience
than
just
open
ship
comments.
So
thank
you
very
much
for
today.
I,
don't
see
any
other
questions
so.
A
They
good
bye
to
everybody
thank
both
on
thin
and
the
video
for
this
will
be
uploaded
to
YouTube
very
shortly
and
then
we'll
put
a
blog
with
the
links
in
the
video
embedded
and
I'll
tweet
it
out
on
open
ship
con
on
Twitter,
and
hopefully
we
can
get
your
feedback
and
if
you
need
to
reach
out
reach
out
to
both
Lausanne
or
hit
us
up
on
the
mailing
list.
So
thanks
again
guys.