1

I'm creating Java appliation, where I will need users to log in. Currently I'm verifying if I can configure Keycloak safe enough. I'd like to make sure my application is really authenticating users against my Keycloak server - eg I know there is something like DNS Poisining or other attacks, where my application could get to attackers server with duplicated/attackers Keycloak instance. What surprised me, I have currently configuration with follwing keys:

keycloak.auth-server-url=...
keycloak.realm=...
keycloak.resource=...
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=..
keycloak.security-constraints[0].securityCollections[0].patterns[0]=...
keycloak.principal-attribute=preferred_username

and no public key is needed. Even worse here: https://stackoverflow.com/a/40516696/520521 I see upvoted comment telling, my application may download key from (malicious) server.

Are there any extra steps I need to follow, to authenticate Keycloak server before starting to authenticate users against it?

parvuselephantus
  • 181
  • 12

2 Answers2

0

Based on your configuration, it seems that you've defined your client in Keycloak as public. This allows your client to be able to call Keycloak without any authentication. This type of client is used for example when you're going to authenticate via js in webpage in which nothing can be hidden from attacker as they have access to the source of the page.

If you set the "Access Type" of your client to "confidential" (in Client Settings on Keycloak Admin UI) and save the settings, there will appear another tab (next to "Setting" tab of the client) titled "Credentials". There you can see the default secret that is created for your client. You should then put this secret as below in your keycloak.json file inside your application:

"credentials": {
    "secret": "paste-the-secret-value-here"
}

You can also re-generate the value by selecting the "Regenerate Secret" button.

You can also change the "Client Authenticator" there and set it to "X509 Certificate". Then you would be asked to define a regular expression to validate the "Subject DN" of the certificate that client will be using for authentication. Any certificate matching that regex would be considered as valid and authenticated. Then you have to setup your client to use such certificate instead of defining the "secret" value in the keycloak.json file.

There is of course another option which uses "Signed JWT" which is also secure and you can find the details about how to set it up in Keycloak documentation at Client Authentication section.

zaerymoghaddam
  • 3,037
  • 1
  • 27
  • 33
  • As I finally had some time to verify your reply, it seems we missunderstood each other. I have trusted client and I want to trust I connected to proper Keycloak server (eg. nobody attacked the network to put a fake keycloak in between). Your answer seems to validate if client can be trusted. – parvuselephantus Oct 17 '20 at 08:55
0

I can't see a word that this is the aim, but seeing where public and private key is placed I understand that answer is, that in realm settings -> keys -> active there is list of keys. You may download public key or certificate with button on right side. In my case of Spring boot, enter application.properties file a public key under keycloak.realm-key.

parvuselephantus
  • 181
  • 12