Keycloak
Data Fabric leverages [Keycloak](https://www.keycloak.org/documentation) for Identity and Access Management.
Keycloak is a lightweight feature rich Identity and Access Management tool that abstracts the need to implement any authentication mechanisms into our own applications. Additionally, applications will not have direct access to user credentials.
Data Fabric uses OAuth 2.0 and OpenID Connect which Keycloak offers out of the box.
Data Fabric Keycloak Diagram
.-----------------------------------------------------------------------.
| |
| .----------------------. |
| / Third Party Keycloak / |
| '----------------------' |
| ^ |
| .-- Data Fabric --------------|---------------------------. |
| | | | |
| | | | |
| | | | |
| | v | |
.--------. | | .---------------. .-------------. | |
| +----------------------->/ DF Service /--->/ DF Keycloak /--. | |
| | | | '---------------' '-------------' | .--------. | |
+--------+ | | | | | | |
/// ____ \\\ | | '-->|'--------'| | |
'------------' | | | Postgres | | |
Client | | | | | |
| | '--------' | |
| '---------------------------------------------------------' |
| |
| |
'-----------------------------------------------------------------------'Data Fabric Keycloak Sequence Diagram
.--------. .-----------. .----------. .------------. .---------------------.
| Client | |DF Frontend| |DF Service| |DF Keycloak | |Third Party Provider |
'--------' '-----------' '----------' '------------' '---------------------'
| | | | |
| 1. Login request | | | |
|--------------------------------->| | | |
| 2. Redirect to Keycloak | | | |
|<---------------------------------| | | |
| 3. Authentication request | | | 3.1 Auth req to third party provider |
|--------------------------------------------------------------------------------->|------------------------------------->|
| 4. Keycloak authenticates user | | | 4.1 User created in DF Keycloak |
|<---------------------------------------------------------------------------------|<-------------------------------------|
| 5. Redirect to user consent | | | |
|<---------------------------------------------------------------------------------| |
| 6. User submits consent form | | | |
|--------------------------------------------------------------------------------->| |
| | 7. Authorization Code | | |
| |<----------------------------------------------| |
| | 8. Send token reqest | | |
| |---------------------------------------------->| |
| | 9. Access token | | |
| |<----------------------------------------------| |
| | | 10. DF Service requests keys from Keycloak |
| | |---------------------->| |
| | | 11. DF Service receives public keys |
| | |<----------------------| |
| | 12. Req to service | | |
| |---------------------->| | |
| | |---. | |
| | | | 13. Verify token | |
| | |<--' | |
| | 14. Response | | |
| |<----------------------| | |
.--------. .-----------. .----------. .------------. .---------------------.
| Client | |DF Frontend| |DF Backend| |DF Keycloak | |Third Party Provider |
'--------' '-----------' '----------' '------------' '---------------------'
1. DF User attempts to login to Data Fabric.
2. User is redirected to Keycloak login page.
3. User fills out login page username and password and submits the form.
3.1 If the user has an account from a third party, the user will fill out the login page from third party provider and submit the form.
4. Keycloak returns an authorization code to the user.
4.1 If the user did not exist in DF Keycloak, the user will be created from the third party provider.
5. Once the user is authenticated, they are redirected to the consent form.
6. User must consent to accepting access to application.
7. Keycloak issues an authorization token.
8. Application uses authorization token to fetch access token, refresh token, and id token from Keycloak.
9. Access token, ID Token, and refresh token response.
10. If the DF Service has not already requested the keys from Keycloak, the request will be made and keys will be cached.
11. Keycloak sends the Service the public keys.
12. A request is made to a DF Service.
13. The DF Service validates the access token with the Keycloak public keys. Verifies the user is able to access other resources given they have the appropriate roles.
14. DF Service returns the reponse.