IAM KeyCloak

Зачем

Реализация функции Identity and Access Management (IAM) решений.

Custom UI forms Apache Freemaker + React?
- Themes
- keycloakify React отзывы не очень
ReCaptcha v3 Google
- SPI
- Custom login form by Phone+Captcha+SMS OTP
  - Custom AuthenticationFactory by Phone
Custom Fields Token
ACF with PKCE
Template Email
REST API
- Управление пользователями
- REST API Postman Collection
Custom Extension Plugin
2FA
- HMAC based OTP (HOTP)
- Time based OTP (TOTP)
- ЕСИА
- 2FA SMS
  - MFA OTP SMS
User Store\Provider
- User Federation (Sync) - password not import, keycloak delegate
  - AD, LDAP, Kerberos
  - DB sync, PSQL with password
  - API
    - REST SPI user-storage Custom User provider
  - REST API System for Cross-domain Identity Management (SCIM)
    - SCIM Client - IDP Keycloak
      - SCIM 1.0 Provisioning SPI
      - SCIM 2.0 GNU Affero General Public License v3.0
- On demand migration
- External Identity broker OIDC
Message Queue Intgegration
- Keycloak SPI plugin that publishes events to a RabbitMq server
- Keycloak SPI plugin Kafka
Keycloak v19 sending logs using GELF to centralized logging solutions like ELK, EFK or Graylog out of the box.
Refresh token rotation
- Revoke Refresh Token
Session State
- обмен cookie через iframe механизм не все браузеры будут поддерживать в дальнейшем
JavaScript Adapter for Client App

Realm - необходимо ограничение по кол-ву, риски по НТ
- Users входят в Realm
- Clients входят в Realm
- MTA подход можно реализовать
Groups
Roles
Cross-Origin Resource Sharing (CORS)
- CORS allow using the Authorization Code flow in JavaScript on browser-side with the PKCE extension instead.

User Federation

REST SPI Custom User provider реализация интерфейсов org.keycloak.storage.UserStorageProviderFactory - Allows Keycloak to access custom user stores.
- Интерфейсы пользовательских провайдеров

schema

Термины:

resource - метод API, например
scopes - usually indicates what can be done with a given resource. Example of scopes are view, edit, delete, and so on.
permission - X CAN DO Y ON RESOURCE Z
- protect resource or scope
policy
- Policy provider custom

Проверка через Policy Evaluation Tool

Управление resource, scopes, permission, policy:

User-Managed Access (UMA) 2.0. UMA is a specification that enhances OAuth2 capabilities in the following ways:

Privacy - Nowadays, user privacy is becoming a huge concern, as more and more data and devices are available and connected to the cloud. With UMA and Keycloak, resource servers can enhance their capabilities in order to improve how their resources are protected in respect to user privacy where permissions are granted based on policies defined by the user.
Party-to-Party Authorization - Resource owners (e.g.: regular end-users) can manage access to their resources and authorize other parties (e.g: regular end-users) to access these resources. This is different than OAuth2 where consent is given to a client application acting on behalf of a user, with UMA resource owners are allowed to consent access to other users, in a completely asynchronous manner.
Resource Sharing - Resource owners are allowed to manage permissions to their resources and decide who can access a particular resource and how. Keycloak can then act as a sharing management service from which resource owners can manage their resources.

Example

RBAC
ответственность за менеджмент ролей перекладываем из Keycloak на этот кастомный продукт. Затем при взаимодействии сервисов друг с другом они обращаются в этот permission-сервис и получают тот или иной набор разрешений. А уже на стороне сервиса валидируется, может ли пользователь в соответствии с разрешением выполнять операцию.

CPU RAM
- Минимальные системные требования под keycloak (под 19ю версию не нашел).
- Требуемые ресурсы CPU RAM уточнить по итогу Benchmarks keycloak под НФТ.
HA
- Deploy HA
k8s
Observability
- Метрики мониторинга производительности
- health check
- logs
Режим разворачивания в ПРОДе в отказоустойчивом (HA) кластере на СУБД postgresql с распределенным кешем Infinispan, вариант «Обычный кластер»