Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth and OpenID Connect best practices #391

Open
stianst opened this issue Apr 13, 2023 · 5 comments
Open

OAuth and OpenID Connect best practices #391

stianst opened this issue Apr 13, 2023 · 5 comments
Assignees
@tnorimat

Comments

@stianst
Copy link

stianst commented Apr 13, 2023

Description

Getting started with Keycloak to secure applications through OAuth 2 and OpenID Connect can be a daunting task for those new to the specifications, but can also be a challenge to those with understanding of the specifications, but are new to Keycloak.

As this group is extending its scope beyond FAPI to cover everything related to OAuth 2 and OpenID Connect maybe it could be an idea to start some work on best practices on how to secure applications.

This would likely involve working on improved documentation for Keycloak, but also consider improvements that can be made around configuring clients, client types, scopes, etc. to make it easier to leverage OAuth 2 and OpenID Connect with Keycloak through a suggest best practice.

Ideally it would not be needed for users of Keycloak to have to read the OAuth and OpenID Connect specifications, but Keycloak documentation would instead cover what is needed to secure different types of applications, starting with simpler scenarios like securing a web application, a mobile application, and a REST API, but extending into more advanced topics like RAR, DPoP, FAPI, etc..

Discussion

No response

Motivation

No response

Details

No response
@stianst
Copy link
Author

stianst commented Apr 13, 2023
edited
Loading

@mposolda @tnorimat @thomasdarimont @pedroigor Wasn't sure where to best propose new topics for the SIG so created an issue. Would it make sense to also enable GitHub Discussions for this repository?

@pedroigor
Copy link

Enable discussions makes sense so that we can work similarly to upstream repo.

Regarding the best practices when securing applications with Keycloak, I'm not sure if we should focus (at least initially) on any documentation but on examples/quickstarts.

As part of the adapter removal, we are also removing a decent part of the Securing Applications documentation. By doing that, we are relying on whatever alternative we choose for our adapters (E.g.: Elytron OIDC) and its own documentation.

If we want to make things easier, quickstarts are definitely the best approach and we can also include some level of documentation within each quickstart. It sounds reasonable to me to provide quickstarts that cover some specific use cases like using sender-constraint tokens, RAR, FAPI-compliance, and, client policies, etc.

@tnorimat
Copy link
Contributor

@stianst @pedroigor @thomasdarimont @mposolda I agree with including topics and discussions in this SIG for enriching documents and examples for make it easy for keycloak users new to security specifications to secure their applications.

@stianst
Copy link
Author

stianst commented Nov 24, 2023

Any updates on this one? Is it something the SIG would be interested in working on?

@tnorimat
Copy link
Contributor

@stianst I will work on it.

@tnorimat tnorimat self-assigned this Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tnorimat tnorimat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pedroigor @stianst @tnorimat