Expanding Keycloak's interoperability with AWS KMS

Authentication and user session control are two fields that are especially insecure these days. When dealing with registered device users, authentication tokens are one of the most important things to consider. Once users enter their login credentials, these special randomly formed lines of characters are used to authenticate them.

Since tokens are one of the most important characteristics of an authentication system, they get into the most common attacks and investigation vectors for cyber-criminals attempting to breach portal authentication mechanisms.

Tokens must be produced in such a way that any intruder who obtains a wide sample of session IDs from the application cannot anticipate or extrapolate the tokens given to other users. To keep the security much stronger, the client requested us high security during Identity and Access Management. So, in this case we have provided highly secured key management systems to sign our data with the help of AWS KMS.

The Solution Overview

The Solution

AWS Key Management Service (AWS KMS) is a managed service that allows developing and managing customer master keys (CMKs), the encryption keys used to encrypt your files, simple for you. Through using AWS KMS, we have greater control over access to the data that we encrypt. The key management and cryptographic functionality can be used directly in our apps or by AWS services combined with AWS KMS. In general, we have limited options available in keycloak as a default. We extended keycloak key providers to give support to add AWS key details.

This extended option helps us to keep the work dynamic. The task can be accomplished by changing the codes at the core level, but it will make the work static and additionally, we won’t use the same keys for a longer period. The key rotation action will be repeated frequently to ensure that none of our sensitive information gets exposed.

We can be able to check the details provided in the options are valid or not. Provider allows saving only if the details provided are valid as it cross verifies the same with AWS KMS. The validation includes:

• Using the AccessKey-SecretKey, IAM-Role, or IAM-Service-Role information specified in the configuration, get the KMS Resource.
• Obtain the public key from KMS and compare it to the public key in the certificate that was uploaded to the Keystore.
• The configuration is properly stored if both public keys match.
• This key is then utilized for all clients that employ KMS's encryption technique.

We secure the provider details, which we created should be kept as an active one and all the other providers will be disabled, or we can define the algorithm for a particular client. Once the provider is defined as the default, the payload will be sent to AWS for signing. After this, as a response to the login request, an access token which is signed by AWS will be sent to the user.

The Impact

Our strategy provided the client with a slew of advantages, all of which had a significant impact on their market success. Our consistent service quality has always assisted us in our development and retention levels, and as a consequence, they've shown to be a trustworthy and resourceful partner.

Enhanced Customer Experience

From the beginning, our client has put a great importance on excellent customer service. Because user constraint is such a key factor in consumer engagement, our methodology was vital in establishing it. Our clients appreciated our unique and intuitive approach, as the process progressed even more quickly because the user limitations were embedded inside the client ecosystem.