3:28 p.m.
Greetings. I am currently developing a RESTful web service for mobile
applications and was looking for a suitable solution to secure it.
My requirements are:
R1 Users can register over a REST API and have to verify their Email
address
R2 Users can manage their accounts over a REST API (change password
etc.)
R3 Other requests than registering need authentication
R4 Logging in should work native from the mobile app and not through a
website
R5 Data on the transmission line should be protected from eavesdropping
and other man-in-the-middle attacks (met: https with certificate
truststore on the client side)
R6 The service should be resistant to replay attacks
R7 The service should be resistant to brute-force attacks (met:
keycloak)
R8 (optional) Support OAUTH 2.0 to let a custodian perform actions on
behalf of the registered user (met: keycloak)
I set up a test environment on Debian running Wildfly 8.2 and Keycloak
1.1.0. My web application to be secured is based on the restEasy JAX-RS
implementation and is already configured to use the Keycloak
authentication subsystem and security annotations.
At this point I am not sure if keycloak is the right way to go. As of my
current understanding I would do it this way:
a Create an application in my keycloak realm that only supports bearer
token
b Maybe have a short token timeout
c Use the direct access grant API to obtain token
d Do some REST service requests with the issued token until it expires
and request a new one
But I have my concerns with this approach:
C1 Is a short token timeout sufficient to protect against replay attacks
(R6)? Does the keycloak implementation provide some additional protocol
features like the counters used in HTTP Digest authentication or
OATH-HOTP solutions? Maybe I just did not understand the Access Code and
Access Token mechanism...
C2 Does keycloak provide REST functionality for R2 and R3 (registration
and user self-service)
C3 Is there another way to authenticate to obtain a token than
Basic/x-www-form-urlencoded
C4 The user database is separated from my application's database. I've
seen that I could implement my own User Federation Provider, but is
there another way to maybe add user profile information to the keycloak
user database so that user information exists in only one place? I would
also like the idea where keycloak would use a user table in my
application's database...
C5 I could imagine a solution that requires Digest Authentication for
users and to support OAUTH 2.0 for custodians but as far as I know this
is not possible with keycloak.
I would be grateful to get some advice on this. I am new to the Java EE
and REST world and want to make my REST service as secure as possible
because it will expose sensitive data and also will incorporate
financial transactions. Maybe I am on the wrong track here...
Thanks in advance.
Best regards
Benjamin
--
[alphaApps] mobile development
Benjamin Hansmann
Nosthoffenstraße 46
D-40589 Düsseldorf
Germany
Mobile: +49 (0) 177 249 47 47
Email: b.hansmann(a)alphaapps.de