Skip to content

Demonstrate Authentication Authorization and Access Control using a Brokerage

License

Notifications You must be signed in to change notification settings

bboortz/brokerage-aaa-demo

Repository files navigation

brokerage-aaa-demo

This project is demonstrating how to setup authentication, authorization and access control using a brokerage. With a brokerage the authentication will be delegated to an upstream idp.

  • Authentication is happening using a keycloak with this realms
    • upstreamidp1 for user base 1
    • upstreamidp2 for user base 2
  • Authorization is happening using
    • keycloak-proxy which is protecting the access to an example application
  • Access Control is happening using a keycloak which acts a a broker. it is in charge of
    • defining the roles for dedicated users.

Requirements

  • some linux distribution like Arch Linux or Debian
  • docker
  • docker-compose
  • cfssl

Components

The used components are used as docker container and will be started using docker-compose:

Architecture

The overall architecture looks like this: Overall Architecture

These roles are known

  • application user - authenticates and is using the application
  • security account manager - manages accounts in IAM systems
  • security role manager - manages the roles in the broker
  • developer - has developed the application and is the defining the policies for an authorization

Preperation

Add necessary host entries to /etc/host file

127.0.0.1       debug.aaa.demo
127.0.0.1       app.aaa.demo
127.0.0.1       api.keycloak.aaa.demo mgmt.keycloak.aaa.demo

How to start the demo?

Run ./start.sh

It starts several services:

  1. postgres database
  2. keycloak with 4 realms https://api.keycloak.aaa.demo
  3. keycloak-gatekeeper https://app.aaa.demo with protects the demo application
  4. demo application
  5. httpbin for debugging https://debug.aaa.demo
  6. traefik as a lightweight loadbalancer

How to use the demo application?

  1. Access http://app.aaa.demo. You will be redirected to the Broker
  2. Login directly at the broker or at another upstream idp. You are logged in and will be redirected back to the demo application

How to manage user access?

  1. Access http://api.keycloak.aaa.demo.
  2. login with admin user from Keycloak Master
  3. Go to "Manage Users" on left menu
  4. Select a user and click the button edit
  5. Go to roles tab

Credentials

Keycloak Master

  • admin / 11111111

Keycloak Broker

  • brokeruser1 / brokeruser1

Keycloak UpstreamIDP1

  • idp1user1 / idp1user1

Keycloak UpstreamIDP2

  • idp2user1 / idp2user1

Links

About

Demonstrate Authentication Authorization and Access Control using a Brokerage

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages