Introduction

Hello, I’m Kenta, an application engineer working in Rakuten Beauty, a service for users to search and make reservations at salons & for salons to manage their settings and accepted reservations. In this article I would like to share about our experience in setting up authentication & authorization platform following OAuth2.0 protocol using Keycloak.
For little bit of background, we have a linkage function which involves providing access to salon’s inventory data to our partner companies with consent from the owner. It is a rather old function that has been running from the early stages of our service, where the partner companies were to log in on behalf of salon and access the management application to do that linkage. In recent years, it had been discussed to update it to adopt more modern approaches and methods. And finally last year, it was decided to work on this renewal, providing APIs for linkage and managing the authentication and authorization.
The major point in renewal was how to implement industry standard approach for authentication & authorization, as it was first time for us to expose APIs to another company. Upon consideration, we decided to use the Oauth2.0 protocol, and use Keycloak as our auth server.

Why OAuth2.0 and Keycloak?

Oauth2.0 is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. Generally, it follows the following flow:

1. The client requests authorization from the authorization server, supplying credentials as identification
2. The authorization server authenticates the client and verifies that the requested scopes are permitted
3. The resource owner interacts with the Authorization server to grant access
4. The authorization server redirects back to the client with either an authorization code or access/refresh token, depending on the grant type
5. With the access token, the client requests access to the resource from the resource server

(reference:https://auth0.com/intro-to-iam/what-is-oauth-2)

 

We chose to use this protocol because:

• It is a secure and reliable protocol, widely adopted by many applications
• It fits our requirements where third party application requires access to the resource with the data owner’s approval
• As it is a widely adopted protocol, it is clear and simple in what both parties should implement

Keycloak is a java-based OSS product for identity and access management, providing functions for user federation, strong authentication, user management, fine-grained authorization, and more. It is developed by WildFly, a division of RedHat, and licensed under Apache License Verison 2.0 with an active open source community.

 

 

We chose to use Keycloak because:

• Despite it having no licensing fees and fairly easy to integrate, it supports and follows the latest security standards, and has functionality and performance sufficient for production environment usage
• Offers a lot of customization, which we especially needed for meeting our service-specific specifications in user authentication and access permissions.
  Having a large open source community was also good point, if we should find difficulties in the customization

 

Implementation

 

The diagram above illustrates our resulting architecture for secure API access.

Roughly, the steps we took in preparing it are as following:

 

Preparing the Keycloak server

1. Choose Keycloak image
2. Customize

a. Implement custom provider
Keycloak supports many functionalities in managing user and their access rights, authorization, etc. However, sometimes those standard capabilities are not enough to cover your business needs or specifications.
Keycloak offers custom providers so one can extend its functionality by implementing solutions for your own needs.

how to integrate is simple: the goal is to prepare a jar file containing one or more service implementations and place it where Keycloak will recognize. At startup, Keycloak will scan its classpath and pick all available providers using the standard java.util.ServiceLoader mechanism.
  i. Create Gradle project
  ii. Create your own implementation class using Keycloak’s Service Provider Interface (SPI)
  iii. Add a service definition file to the project named after the interface we want to extend, containing the fully qualified name of your implementation

```
# SPI class implementation
full.qualified.name.of.YourImplementation
```
iv. Update Dockerfile so the JAR will be placed in designated directory

```
FROM quay.io/keycloak/keycloak:latest as builder

...

# Add the provider JAR file to the providers directory

ADD --chown=keycloak:keycloak --chmod=644 myprovider.jar /opt/keycloak/providers/myprovider.jar

…

# Context: RUN the build command

RUN /opt/keycloak/bin/kc.sh build

```

b. Apply configurations
Keycloak offers config customization such as logging, data source settings, enabling/disabling features etc. via environment variables and/or CLI options.

 

3. Create Jenkins job
We are managing our application deployment with Jenkins, so we created Jenkins job for building the image and applying required Kubernetes components

 

Preparing token validation service

As oauth2.0 works with jwt access token, we needed to prepare a service which can authorize a request if the token is valid, and the request is following the access scope. Generally, this token validation can be done either online or offline way:

• online: call token validation endpoint supported by keycloak each time token usage is attempted
• offline: validate the token locally

We decided to use the offline way, as we were concerned about the overhead of Keycloak server being accessed each time there is request from client, and we could accept access token being valid until its TTL instead of it terminating it as soon as user becomes invalidated. We implemented a validation service which intercepts the requests made to the resource APIs and will validate the token accordingly

And there we have it! We were able to set up authentication & authorization platform for our linkage function.

 

Impressions

Let me share some technical impressions in working with Keycloak, from initial implementations and maintaining it for some time:

• Getting started is very simple and quick. Be aware of configurations you need, and you can have the server running in short time.
• Custom providers let you extend on functionality easily but will require you to learn about how that part of keycloak works to some extent. Complexity of customization and how much to know to extend it will obviously increase the more “custom” your specs get. So, if scope of your function customization is large, you may want to consider utilizing frameworks like Spring Authorization Server and have more ownership on the functions, if you can accept the additional effort.
• Updates are frequent and timely, which is greatly appreciated for security related component. However, supports for patches across versions is limited: only the latest major build gets active development and security fixes. You will have to be ready to handle version updates in relatively short span to get the best out of it.
• There seems to be not much concrete instructions for high-availability architecture. There are concept guides and blueprints are available so you should be able to refer as starting point and work out your solution from there

And for wrapping up this article, as personal impressions, working with these solutions have allowed me to contribute greatly to the modernization of our service. It was unfamiliar domain for me, but I am glad that I was able to have the opportunity to learn and successfully follow through with this adaptation.

 

End

Thank you for reading! I hope it was useful for someone wanting to consider authentication & authorization method, or wanting a glimpse of what we developers are working on.

 

global.rakuten.com