How to Secure Enterprise Microservice architecture with SSO | Keycloak with Open Policy Agent.
How to secure enterprise micro service architecture with SSO?, Every system we design needs to have security implemented. Do you know how to put it into practice? I go over how to use SSO to construct a safer system. Single sign-on, or SSO. How does SSO work :- Your sign-on tokens can be shared with all applications where they can define trust after you log in to a specific system utilizing SSO. As a result, you typically meet the requirements. So it is preferable to go there right away. A customized OAuth server was implemented in the OAuth solution. That answer is appropriate in this situation as well. The issue is why you burn your hand if you have an unconventional remedy. Make use of a clever solution. If so, life is simple. Because you utilized your own oAtuth server, you also had to be concerned about security, bugs, and other problems. Then, if a new requirement arises, you must reimplement it.
What are available solution for that?
- keyclock: keyclock is open source project .It is stable. And also it has access management solution out there.
- AWS Cognito:It is customizable and pre token generation.
3.WSO2 IS- It can used without cloud.
The oAuth2 is a common component of all of these solutions. When selecting a specific solution, it is important to consider how authentication and authorisation will be implemented. The terms “authorization” and “authentication” are distinct. When you authenticate yourself, we can confirm your identity by checking your password again. As a result, it is utilized to identify the person. What a user is authorized to do. These two ideas are challenging in practice. Let’s use an example to explain. Each employee must grant authorization for only the department to which he or she is assigned to see the employee profiles when creating a system solution for a company with numerous departments. What can be done and what can be done with it are the two elements of the authorisation. Imagine a system for handling support tickets where only a support engineer has access to view user profiles. This means that even though the support engineer has read access to all profiles, he is only able to read the ones that have been allocated to him. It is easy to implement this situation to allow read access, but it is difficult to grant access to the same area using an authorization server. User policies or capabilities are the terms used to describe them. We can put these measures into effect. But it’s here. Create users and roles before implementing this type of situation. Users may be granted permissions such as read, update, create, delete, and list. As a result, we can give a role certain permissions and a user that role. It is simple to use a service like Keyclock without implementing a custom authorisation server. The user can now reroute the keyclock when it is implemented. Keyclock somehow authenticates the user and sends the token to the user interface. With every service request, the token is submitted. when a service request is received.”This user is trying to read user,” the api gateway states. Accordingly, it states whether or not this token creates user authorization. However, the issue is the user who can do this for what. It denotes the department in which this user may add new users. A policy management tool like OPA can be used to specify which departments have access. OPA is an open policy agent that is straightforward, scalable, and can be used with nearly anything, including SSH and rest services. The user should speak with the OPA and find out whether they can examine this department’s profiles after getting permission before submitting a request. OPA confirms the user’s roles and capabilities. According to OPA, a statement is either true or false, and the user is given authorization based on the policy choice.
Authentication can be implement various ways,
Identity brokering is one. It indicates that you can use social login services like Facebook, Apple, and Google. After logging in using social media accounts, the identity provider is redirected, and it returns the token to the Keyclock. With the help of user roles and JWT token back, Keyclock can create its own token. Identity federation comes in second. Keyclock can now verify users against data sources, so to speak. They have particular adapters for interacting with data sources and authenticating users. With the aid of all these services, the system can attain security. The services Ldap, Active Directory, and Kerberos use similar authentication methods. They each have distinct operations for authenticating people. If active directory is already installed on the system, make sure to set up Keycloak or identity brokering for it. As a result, whenever Keylock interacts with Active Directory when a user is already logged in, Keylock notifies the user of their existing sign-in. After that, the user will receive a token from keylock trust. It means the user doesn’t need to log in again. That refers to single sign-on, or SSO.
Reference :-
Krishantha Dinesh, How to Secure Enterprise Microservice architecture with SSO | Keycloak with Open Policy Agent, Apr 17, 2021.
