In the previous article, I introduced Keycloak, an open source project for identity and access management developed by the RedHat Community. I went through how to install it, boot it and how to access the Keycloak Admin Console for the first time.
Continuing from where I left, in this new article I’d like to talk about how to configure Keycloak so that you can later use it for managing authentication and authorisation for a web application as well as for a web service. I’ll show you how to create a new realm, define roles and add users.
Throughout this series, you’re going to see more features and details about Keycloak, but I suggest you check the helpful and detailed official documentation for any doubt or curiosity.
Access Control, Authentication and Authorisation
Managing authentication and authorisation is an essential task in every good-designed web application or service. Keycloak makes it very easy and effective, letting you focus on the application business logic rather than on the implementation of security features.
Before going on, it is worth briefly recalling the definition of some fundamental security properties (from NIST glossary):
- Access Control: “the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances)”.
- Authentication: “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system”.
- Authorisation: “access privileges granted to a user, program, or process or the act of granting those privileges”.
A typical error is considering authorisation and access control as synonyms when the second one is included in the first one. If you are interested in exploring this difference, you can read this article by ICANN. Continue reading “Keycloak Basic Configuration for Authentication and Authorisation”