WEBVTT

00:00.000 --> 00:09.200
Thank you for the introduction of what come to delegating the tools of Authentic and the

00:09.200 --> 00:10.440
users to kick-look.

00:10.440 --> 00:14.160
My name is Alex Andrews, and I'm a principal software engineer at Rathead.

00:14.160 --> 00:20.800
I'm also one of the maintenance of the kick-look project working on a full-time and upstream,

00:20.800 --> 00:25.240
and then heavy to be here at the first and I don't see any access management there from

00:25.240 --> 00:28.080
thanks for having me here.

00:28.080 --> 00:33.680
So I'll take a little introduction of what you can do with an identity and access management,

00:33.680 --> 00:40.440
what problems it will solve for you, especially if you're taking a developer's perspective

00:40.440 --> 00:41.440
to it.

00:41.440 --> 00:46.080
So I start with a motivation, some practical authentication, by example, all the other

00:46.080 --> 00:51.760
things that you will need, maybe you didn't think of in the first place, and then

00:51.760 --> 00:59.240
standards everywhere, how they help you to get users authenticated in your environment.

00:59.240 --> 01:01.640
So motivation, why do we do this?

01:01.640 --> 01:08.160
Authentication is for answering questions, who are you, still, there's a lot of questions

01:08.160 --> 01:13.600
around it, and like the question is not, you don't only want to use, you don't only want

01:13.600 --> 01:18.720
users to lock in, but you sometimes want to take the step before that, you want to figure

01:18.800 --> 01:21.920
out if the user already locked in before I asked them to lock in.

01:21.920 --> 01:26.560
Like imagine you have a landing page, you want to show some marketing content, people

01:26.560 --> 01:30.480
visiting your home page and you want to figure out are they locked in, and only then

01:30.480 --> 01:34.480
eventually have a login button somewhere.

01:34.480 --> 01:38.760
There have been these diagrams of the authentication code flow that I showed here on the

01:38.760 --> 01:44.440
right, I borrowed that from the progress project, but this talk will be about how to put

01:44.440 --> 01:53.440
that to work from application perspective developers view, and how can I benefit from all

01:53.440 --> 01:59.240
the features that are in key-cloke, that might have some places, extend the specification

01:59.240 --> 02:05.200
a bit, but then will save you a lot of work as an application developer.

02:05.200 --> 02:10.000
And the things that you can do with an identity management system is like you can check

02:10.000 --> 02:14.280
is the user already locked in, you can register any users, you have a forgot password flow

02:14.320 --> 02:19.280
you can change the password, you can manage account, I used still locked in, you have

02:19.280 --> 02:27.080
kind of four second factors, all of that is in that shift box that you get with, okay,

02:27.080 --> 02:33.080
these are the actors, a little bit more about key-cloke, it's fully open source, fully

02:33.080 --> 02:37.720
open source, and the means of there is no core and non-core and whatnot, it's fully open

02:37.720 --> 02:43.160
source, there's nothing we hide from you here, it's part of the cloud-native computing

02:43.160 --> 02:49.160
foundation incubating project since April 2023, it's a patchy two license, it has up to

02:49.160 --> 02:54.160
date 26,000 GitHub stars, and if you like this product, please give us another GitHub

02:54.160 --> 02:58.160
stars, and we would love to see that.

02:58.160 --> 03:07.160
All right, so the four you actually figure out is the user already locked in, you want to

03:07.160 --> 03:12.160
figure out something about your open-body provider, there's this issue or you're around

03:12.160 --> 03:16.160
that you normally as an application developer, put somewhere in the configuration of the

03:16.160 --> 03:23.160
application, you put the part at the end, dot well dash known slash open ID dash configuration,

03:23.160 --> 03:30.160
and you will get back a JSON, well everything is JSON nowadays, exactly in the summer, so

03:30.160 --> 03:37.160
the issue is then a URL usually, and then there are lots of endpoints in here, there's also

03:37.160 --> 03:43.160
aization endpoint that will be used, most of the time there's a token endpoint, so the

03:43.160 --> 03:49.160
good news is all the different IDPs out there, they will use different URLs, but they

03:49.160 --> 03:53.160
will all have this well known open-body configuration endpoint, and he will just need

03:53.160 --> 03:58.160
to configure one URL in your clients, and they will discover all the other URLs that

03:58.160 --> 04:04.160
are there, from your open-body provider, and what we've seen in a second, they will also

04:04.160 --> 04:11.160
discover what features that open-body provider actually supports, and now we get

04:11.160 --> 04:16.160
back to the actual first question, we want to figure out is the user already locked in,

04:16.160 --> 04:22.160
and what we can then do, we take this authorization endpoint that has been by accident actually

04:22.160 --> 04:27.160
also the first endpoint that was listed there, and we direct the user to it, and we

04:27.160 --> 04:33.160
pass one parameter there saying prompt not, prompt not means don't show any login screen

04:33.160 --> 04:39.160
to the user, and when it then comes back, with a redirect back to your application, it

04:39.160 --> 04:45.160
tells you login required, and so I know yes, users not locked in, I show the general

04:45.160 --> 04:50.160
marketing screen, whatnot, advertising product, and then have a login button, here you

04:50.160 --> 04:55.160
can login if you then you're ready to login.

04:55.160 --> 05:03.160
Then you can say then again, it's the same principle also for the, when you want to register

05:03.160 --> 05:09.160
a new user, it's again building a URL where you redirect the user to, it's again the authorization

05:09.160 --> 05:15.160
endpoint, but then there's a specific spec called the open-body connect prompt create,

05:15.160 --> 05:21.160
it's part of the spec, so somebody said let's put the create in here, instead of,

05:21.160 --> 05:27.160
so like the time before we had prompt equals not, and then it's the or was flow just here from

05:27.160 --> 05:33.160
code flow, it's just the, yeah, taking the developers spec effectively here again, so I get back

05:33.160 --> 05:41.160
a URL in a redirection that depends the session state and the code, that I need in the next step,

05:41.160 --> 05:47.160
and then I sent some of the code and some other parameters to the token endpoint, the token endpoint

05:47.160 --> 05:54.160
retrieved by this well known open-body connect URL, it's again one of these URLs, and I

05:54.160 --> 05:59.160
can back get back this ID token and access token in the refresh token, right.

05:59.160 --> 06:04.160
So this is actually the most, well, there's some cryptography evolved maybe in some place

06:04.160 --> 06:10.160
if you need to pick things stuff, hopefully in your environment, your, you will have an open-body

06:10.160 --> 06:17.160
connect library that will take care of all that, but usually I'd say this open-body connect

06:17.160 --> 06:23.160
libraries allow you to specify if you want to put prompt lock in, prompt none, or prompt create

06:23.160 --> 06:28.160
whatever in there, and then all the cryptography, all the other things around that will be handled

06:28.160 --> 06:35.160
by your open-body connect libraries. Now then there's the question, okay, use a lock

06:35.160 --> 06:41.160
in, great, that worked, now I want to get notified that the user is still locked in, so what

06:41.160 --> 06:49.160
I can do. So there's another URL, again, in this JSON that we saw in the beginning,

06:49.160 --> 06:54.160
that's a check session I frame, that's another part of the open-body connect, let's say,

06:54.160 --> 07:02.160
a bunch of standards in the way, so I can put an I frame in my web page and put the session

07:02.160 --> 07:07.160
and take the URL of the I frame, take the session state that I retrieve received as a

07:07.160 --> 07:14.160
redirect at some point, and send a JavaScript user JavaScript send message to the I frame,

07:14.160 --> 07:21.160
and then I receive a message back saying, yes, sessions still valid, that's fine, or it's no longer

07:21.160 --> 07:27.160
valid, and then I need to do something else. I can then choose to just say, you know,

07:27.160 --> 07:34.160
a log in, maybe show the login button, or redirect the user to maybe enforce a reloading.

07:34.160 --> 07:41.160
Yeah, behind the scenes, key log is then using cookies in the browser, and let's see how

07:41.160 --> 07:48.160
this third party cookies handled, evolves in the future, sets to load out, and how

07:48.160 --> 07:52.160
like when I refresh the page, you will see there's a redirect happening, and so I guess

07:52.160 --> 07:59.160
required, of course, I'm not logged in yet, I can then choose to log in, and then there's

07:59.160 --> 08:05.160
a prompt create in here, if I would look at the URL on the log form, let's not do that,

08:05.160 --> 08:11.160
but you see that the server info shows the server info show in the beginning, and there's

08:11.160 --> 08:16.160
no login button because the prompt create is missing, so at the moment this key log

08:16.160 --> 08:22.160
is not logged in and content, and instead I can now log in as an admin to my key

08:22.160 --> 08:30.160
log instance, and say yes, I want to allow user registration here, and what then happens

08:30.160 --> 08:38.160
is the user info is the server info is updated, now the create method is here, if I go back

08:38.160 --> 08:43.160
to the start screen of an application with my application parses, this JSON, and now I can

08:43.160 --> 08:49.160
actually register, I click on register, and now finally, I can log in as register, so use

08:49.160 --> 09:03.160
a demo demo, this some secret password, and I'm registered here, and now I see finally

09:03.160 --> 09:12.160
all the other things that can do as a logged in user in this time, so this is now,

09:12.160 --> 09:18.160
yeah, as a thing about login, and I'd say this is all with open mic on extended, you can do that by then and you open mic

09:18.160 --> 09:27.160
connect endpoint, and makes your life a lot easier, and maybe at some point also enable features like

09:27.160 --> 09:33.160
a forgot password, I talked about that earlier, and when I then log out the possibility

09:33.160 --> 09:39.160
to change this ACR values in the way to force a step of authentication for a specific application

09:39.160 --> 09:46.160
or what you can do in KQL26.1, you can tell it to enforce for specific application at the minimum level

09:46.160 --> 09:52.160
of authentication is used, so basically saying whenever I log into, let's say,

09:52.160 --> 09:58.160
profaner, I don't need a second factor, whenever I go to the where I transfer my money,

09:58.160 --> 10:03.160
I need to have a second factor authentication, and you configure that centrally in your KQL

10:03.160 --> 10:10.160
and down me to bother about any configuration you do on the side of your applications.

10:10.160 --> 10:18.160
Also, I say probably any IDP will come stable, have a method to update the user data,

10:18.160 --> 10:25.160
that's how users can manage that themselves, so has KQL26, so there's a count console I can go to,

10:25.160 --> 10:34.160
and the thing is I can redirect to the URL, tell it's where the, well,

10:34.160 --> 10:40.160
better redirect comes from, so KQL will then show here what you see in the upper right corner,

10:40.160 --> 10:45.160
the short URL where to get back to the application, so at some point you probably need to

10:45.160 --> 10:52.160
see this a bit, that it makes your CI, and then I can go back to my application,

10:52.160 --> 10:57.160
that's fine, and in the account console, as I said, I have lots of functionality here

10:57.160 --> 11:04.160
to manage my own data, but I can also have a link in here, update profile where I

11:04.160 --> 11:10.160
do it, where I, to the only first and last name because I didn't allow them to change the email address,

11:10.160 --> 11:17.160
but I can change that I can do an update password here or cancel it again, or I can do an update email,

11:17.160 --> 11:21.160
where then send out an email, maybe confirm that as well.

11:21.160 --> 11:27.160
So all this functionality is then available as modular pieces as part of the login theme,

11:27.160 --> 11:35.160
so once you're updated login theme to look as your CI, you're basically good to use that as well.

11:36.160 --> 11:41.160
Something that you can also do is, depending on the application that you want to use here,

11:41.160 --> 11:44.160
let's see if the time for the demo is enough here.

11:44.160 --> 11:50.160
I can choose which application, well, what's which data has been carried for for specific applications,

11:50.160 --> 11:55.160
so I can go here to my test realm, let's see if I'm fast enough.

11:55.160 --> 12:01.160
To my user profile, I probably can create a new attribute being like an address.

12:05.160 --> 12:20.160
It's only there when the specific scope is requested, it's a required field, when the scope is requested.

12:20.160 --> 12:34.160
There it is, say, it's the user candidate, the user can view it and the admin can do the same,

12:34.160 --> 12:40.160
so it's there. So I added now a new required field address, and if the demo goes with me,

12:40.160 --> 12:49.160
if I just refresh the page, you know, if I login again, yeah, it's, I need to login with demo demo,

12:49.160 --> 12:58.160
and now it's not asking, because yes, I didn't click on xx scope address, yeah.

12:58.160 --> 13:05.160
Well, it goes as before, and that's a good thing, and if I now login with the scope address, the address is required fields.

13:05.160 --> 13:12.160
So an application can really choose which, well, maybe in a different context, you can really choose,

13:12.160 --> 13:17.160
when I go from one part of the application to another part of the application, which data I want to have,

13:17.160 --> 13:23.160
which hopes I want to add, and now I need to put in some demo address, and once I put in the scope,

13:23.160 --> 13:28.160
it's going to be asked by the user when they log in, and I will go to the user info,

13:28.160 --> 13:33.160
and then the address is, okay, I didn't use the right field here, but then we would show here as an address,

13:33.160 --> 13:39.160
in the user info, but only then, because the scope has been requested for it.

13:39.160 --> 13:49.160
So, yeah, so I'd say standard textbook here, so there's a lot of authentication and user management functionality,

13:49.160 --> 13:58.160
so just a link, like a web-like link away to your IDP, or kick-up if you choose to choose that one.

13:58.160 --> 14:04.160
So the open IDConnect library in your environment usually does the heavy lifting,

14:04.160 --> 14:09.160
but you can usually choose which parameters to pass, the extra parameters to pass,

14:09.160 --> 14:16.160
which kind of prompt to choose, maybe put in this case the action, if you want to have this modular account console functionality,

14:16.160 --> 14:23.160
and then all these standards and all the understanding, what is there, how to detect,

14:23.160 --> 14:28.160
which functionality open, when you connect provider support by looking into this well-known endpoint,

14:28.160 --> 14:31.160
that's a very a gold-mine right thing.

14:31.160 --> 14:40.160
Right, there's a lot of heavy features and kick-load, kick-up, try them out, so these are the links.

14:40.160 --> 14:44.160
To kick-load and serve the features, if you want to have a look at the previous features,

14:44.160 --> 14:48.160
we currently have the currently working on the authentication.

14:48.160 --> 14:53.160
The token exchange to find your end user-atamin commissions, that's something we currently working on,

14:53.160 --> 14:56.160
and hopefully have it fully supported soon.

14:56.160 --> 14:59.160
Open-Modiconex Core is a good place to start.

14:59.160 --> 15:05.160
The demo code I showed you is there, and the JavaScript library I used on the clients had to do this demo,

15:05.160 --> 15:09.160
with the panel open, my client, full credit to them.

15:09.160 --> 15:17.160
They did a good job to do the good photography, and I was able to put in the prompt parameters,

15:17.160 --> 15:19.160
and the case the action parameters as I needed to.

15:19.160 --> 15:21.160
Thanks for that.

15:22.160 --> 15:25.160
Thank you.

15:29.160 --> 15:33.160
So, I'll send the icon to question from Matrix.

15:33.160 --> 15:36.160
The question says it's from Breton,

15:36.160 --> 15:41.160
and he would like to authenticate not human services users on his application,

15:41.160 --> 15:44.160
for instance, for monitoring or reporting.

15:44.160 --> 15:47.160
So, no browser, no fancy UI.

15:47.160 --> 15:54.160
So, what did we possibly go to of law at it to kick lock, and what are the protocols that are there for it?

15:54.160 --> 15:59.160
Yeah, we had this device authentication zone early, and that's, in the previous target,

15:59.160 --> 16:05.160
it's been shown, so we can prompt a URL that you can click on and then completely authentication.

16:05.160 --> 16:10.160
But then it's only, like, if this client is acting on a user's behalf, so it locks in as it uses.

16:10.160 --> 16:16.160
The other thing you can do is we can register every of your monitoring of IoT device as a client,

16:16.160 --> 16:21.160
and then each client will have its own client ID, client secret,

16:21.160 --> 16:27.160
and there's a checkbox called Service Account, and then the client does a flow-fold client credential,

16:27.160 --> 16:29.160
going to come up with taken.

16:29.160 --> 16:38.160
So, if I was to go to this client here, and some of you can have a Service Account as a public client,

16:38.160 --> 16:43.160
it's not available for public clients, but for confidential clients, you'll have a Service Account,

16:43.160 --> 16:49.160
and you can have, like, as many devices as you have, the same number of clients who set up,

16:49.160 --> 16:57.160
and they can authenticate, get their tokens, and for return monitoring data as an example we had there.

16:57.160 --> 17:00.160
Yeah, sure.

17:00.160 --> 17:03.160
So, thanks for the talk.

17:03.160 --> 17:07.160
We have our users correctly on O0.

17:08.160 --> 17:10.160
Is there an easy way? Easy.

17:10.160 --> 17:17.160
Not so easy, but at least is there a way to transfer the users to, and that maybe you after,

17:17.160 --> 17:23.160
if they get the data to you, but on the other hand, you can do Federation as an intermediate step,

17:23.160 --> 17:28.160
so that you can Federation, you may be used to kick-load your users,

17:28.160 --> 17:31.160
your application, connect only to kick-load, but not to all zero,

17:31.160 --> 17:34.160
and eventually you don't do a migration then.

17:37.160 --> 17:44.160
You can just talk about people who are very good, and then just do the editing.

17:44.160 --> 17:45.160
Yes.

17:45.160 --> 17:47.160
I'm not allowed to do that.

17:47.160 --> 17:48.160
Sorry.

17:48.160 --> 17:49.160
Yeah.

17:49.160 --> 17:53.160
I want to apologize for that, because I'm, like, very kick-load new,

17:53.160 --> 17:55.160
so this might be a very naive question.

17:55.160 --> 18:02.160
But I've seen kick-load typically deployed in environments that serve the needs of organization,

18:02.160 --> 18:04.160
where like, several hundred people groups, etc.

18:04.160 --> 18:06.160
Permissions.

18:06.160 --> 18:11.160
How, look, is there any evidence that it's deployed for a larger, like,

18:11.160 --> 18:14.160
thousands, tens of thousands, hundreds of thousands?

18:14.160 --> 18:18.160
What if, like, I want to create an app and have my customers,

18:18.160 --> 18:22.160
which, potentially, is like, a lot of data.

18:22.160 --> 18:23.160
Yeah.

18:23.160 --> 18:28.160
So, when you size the kick-load instance, you size it, but a number of concurrent sessions

18:28.160 --> 18:31.160
in a way, that are concurrently using it maybe within an hour.

18:31.160 --> 18:37.160
So, and there are a lot of examples with hundreds, thousands of concurrent users out there.

18:37.160 --> 18:41.160
And if you look through the web, you will see this all or this.

18:41.160 --> 18:46.160
If you look at the kick-load specific URL, and when you're looking at public companies,

18:46.160 --> 18:50.160
you will see that they use kick-load now and then for public facing applications.

18:50.160 --> 18:51.160
Yeah.

18:51.160 --> 18:55.160
And some, I say, German entertainment companies, using it.

18:55.160 --> 18:57.160
I know about that one.

18:57.160 --> 18:59.160
Good. I think we are at the end of the time.

18:59.160 --> 19:03.160
I'm happy to take more questions outside. I also have stickers and postcards for those who want one.

19:03.160 --> 19:04.160
Cool.