Keycloak Security Settings
Client Attributes
Root URL
| Parameter | Description |
|---|---|
Attribute |
Root URL |
Description |
Root url is just a value that will be used for relative paths resolving. |
Possible values |
|
Recommendations |
Use a fully qualified URL, Use a secure https protocol, Do not include a trailing slash |
Our decisions : what and why |
Home URL
| Parameter | Description |
|---|---|
Attribute |
Home URL |
Description |
Default URL to use when the auth server needs to redirect or link back to the client. An optional attribute that you can configure for a client to define the home page or landing page after successful authentication. |
Possible values |
|
Recommendations |
This is optional |
Our decisions : what and why |
Valid redirect URIs
| Parameter | Description |
|---|---|
Attribute |
Valid redirect URIs |
Description |
After login, user could be redirected to any URI that matches pattern |
Possible values |
in.kb.mtrace.mdesk:/oauth2redirect |
Recommendations |
|
Our decisions : what and why |
Valid post logout redirect URIs
| Parameter | Description |
|---|---|
Attribute |
Valid post logout redirect URIs |
Description |
specifies the valid redirect URIs after the user logs out. |
Possible values |
in.kb.mtrace.mdesk:/oauth2redirect |
Recommendations |
|
Our decisions : what and why |
Web origins
| Parameter | Description |
|---|---|
Attribute |
Web origins |
Description |
Set the allowed origins for web-based clients. To permit all origins of Valid Redirect URIs, add '+'. |
Possible values |
|
Recommendations |
Minimize Wildcards(*) , Use Same Protocol as Application (https) |
Our decisions : what and why |
Admin URL
| Parameter | Description |
|---|---|
Attribute |
Admin URL |
Description |
URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client. |
Possible values |
|
Recommendations |
Limit Admin URL Access, Use Strong Authentication (admin passwords) |
Our decisions : what and why |
Frontchannel Logout URL
| Parameter | Description |
|---|---|
Attribute |
Frontchannel Logout |
Description |
If enabled, it ensures that all logged-in sessions are terminated and redirects the user to the application’s post-logout URI. If not provided, it defaults to the base url. |
Possible values |
|
Recommendations |
|
Our decisions : what and why |
Authorization
| Parameter | Description |
|---|---|
Attribute |
Authorization |
Description |
Enables or disables fine-grained authorization support for this client. |
Possible values |
Resource-Based Authorization (RBAC): RBAC associates permissions directly with resources, allowing granular control over access to specific resources. |
Recommendations |
Use Scopes for Granular Control, Assign Permissions Based on Roles, Utilize RBAC for Resource-Level Access |
Our decisions : what and why |
Authentication flow
| Parameter | Description |
|---|---|
Attribute |
Authentication flow |
Description |
The sequence of actions a user or a service needs to perform to be authenticated. |
Possible values |
Multi-factor authentication (MFA) , Avoid direct grant flow |
Recommendations |
Session Management, Redirection Minimization |
Our decisions : what and why |
Standard Flow
| Parameter | Description |
|---|---|
Attribute |
Standard Flow |
Description |
Standard Flow Enabled property is used to activate the Authorization Code Flow as defined in the OIDC standard. Enables support of 'Authorization Code Flow' for this client. |
Possible values |
|
Recommendations |
It’s the recommended protocol to use for authenticating and authorizing browser-based applications. |
Our decisions : what and why |
Direct access grants
| Parameter | Description |
|---|---|
Attribute |
Direct access grants |
Description |
This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. |
Possible values |
Enables support of 'Resource Owner Password Credentials Grant' for the client. |
Recommendations |
|
Our decisions : what and why |
Implicit Flow
| Parameter | Description |
|---|---|
Attribute |
Implicit Flow |
Description |
This enables support for OpenID Connect redirect based authentication without authorization code. |
Possible values |
|
Recommendations |
Not recommended |
Our decisions : what and why |
Service account role
| Parameter | Description |
|---|---|
Attribute |
Service account role |
Description |
A service account can also serve as a proxy that performs tasks on behalf of a user. Enables support of 'Client Credentials Grant' for the client. |
Possible values |
Users in role : service-account-mercotrace-india |
Recommendations |
Use the Principle of Least Privilege |
Our decisions : what and why |
Client secret rotation
| Parameter | Description |
|---|---|
Attribute |
client secret rotation |
Description |
The client secrets rotation policy provides greater security in order to alleviate problems such as secret leakage |
Possible values |
https://www.keycloak.org/docs/latest/server_admin/index.html#_secret_rotation |
Recommendations |
Client Secret Rotation support is in development. It can be done manually for every 3 days. |
Our decisions : what and why |
Client scopes
| Parameter | Description | |
|---|---|---|
Attribute |
Client scopes |
|
Description |
Client scopes are a common set of protocol mappers and roles that are shared between multiple clients. |
|
Possible settings,values & recommendations |
Protocol mappers |
|
Scopes |
||
Our decisions : what and why |
||
Realm Roles
| Parameter | Description |
|---|---|
Attribute |
Realm Roles |
Description |
Defining realm roles and assigning them to users, you can control which users have access to specific actions or resources within the realm. Typically used for global permissions of the applications. |
Possible values |
Default realm roles : default-roles-kbt-india ,offline_access, uma_authorization. |
Recommendations |
Principle of Least Privilege |
Our decisions : what and why |
Realm settings
| Parameter | Description |
|---|---|
Attribute |
Realm settings |
Description |
Realm settings are settings that control the options for users, applications, roles, and groups in the current realm. |
Recommendations |
Security defenses/Brute force detection
| Parameter | Description | ||
|---|---|---|---|
Attribute |
Security defenses/Brute force detection |
||
Description |
By default OFF. If turned ON, a user account will be temporarily disabled if a threshold of login failures is reached. |
||
Possible settings,values & recommendations |
Max login failures |
5 times |
|
Permanent lockout |
|||
Wait increment |
1 min |
||
Max wait |
15 min |
||
Failure reset time |
12 hrs |
||
Quick login check milliseconds |
1000 ms |
||
Minimum quick login wait |
10 min |
||
Our decisions : what and why |
|||
Password policies
| Parameter | Description |
|---|---|
Attribute |
Password policies |
Description |
When an Admin sets a password for new user/changes password for existing user/changing password for himself using users or login page. This is applied to users within the particular realm. |
Possible values |
|
Recommendations |
Minimum Length: 8 characters |
Our decisions : what and why |
Session(Menu)
| Parameter | Description |
|---|---|
Attribute |
Session settings(Menu) |
Description |
When users log into realms, Keycloak maintains a session for each user and remembers each client visited by the user within the session. |
Possible values |
|
Recommendations |
|
Our decisions : what and why |
Session settings
| Parameter | Description | ||
|---|---|---|---|
Attribute |
Realm settings(Menu) |
||
Description |
From a user experience perspective, Keycloak relies on sessions to determine whether users and clients are authenticated, for how long they should be authenticated, and when to re-authenticate. |
||
Possible settings,values & recommendations |
SSO Session Idle |
1 day |
By considering user experience & security, use refresh tokens to obtain new access tokens without requiring the user to log in again. |
SSO Session Max |
1 day |
||
SSO Session Idle Remember Me |
1 day |
If not set it uses the standard SSO Session Idle value. |
|
SSO Session Max Remember Me |
0 |
If not set it uses the standard SSO Session Max value. |
|
Client Session Idle |
1 day |
If not set it uses the standard SSO Session Idle value. |
|
Client Session Max |
1 day |
If not set it uses the standard SSO Session Max value. |
|
Offline Session Idle |
30 days |
You need to use offline token to refresh at least once within this period; otherwise offline session will expire. |
|
Offline Session Max Limited |
60 days |
Max time before an offline session is expired regardless of activity. |
|
Login timeout |
30 min |
This is recommended to be relatively long, such as 30 minutes or more |
|
Login action timeout |
5 min |
This is recommended to be relatively long, such as 5 minutes or more. |
|
Our decisions : what and why |
|||
Refresh tokens - Realm settings(Tokens)
| Parameter | Description |
|---|---|
Attribute |
Tokens - Realm settings(Tokens bar) |
Description |
1.Revoke Refresh token→ If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times. |
Recommendations |
|
Our decisions : what and why |
Access tokens
| Parameter | Description | ||
|---|---|---|---|
Attribute |
Access tokens |
||
Description |
An access token is a credential that represents the authorization granted to a client (application) to access a protected resource on behalf of a user. |
||
Possible settings,values & recommendations |
Access Token Lifespan |
1 day |
It is recommended for this value to be shorter than the SSO session idle timeout: 1 day |
Access Token Lifespan For Implicit Flow |
15 hrs |
This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow |
|
Client Login Timeout |
1 min |
This should normally be 1 minute. |
|
Our decisions : what and why |
|||
Action tokens
| Parameter | Description | ||
|---|---|---|---|
Attribute |
Action tokens |
||
Description |
Action tokens on Keycloak refer to the tokens used to perform certain administrative actions or trigger specific events within the Keycloak server |
||
Possible settings,values & recommendations |
User-Initiated Action Lifespan |
5 min |
This value is recommended to be short because it’s expected that the user would react to self-created action quickly. |
Default Admin-Initiated Action Lifespan |
12 hr |
This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token. |
|
Our decisions : what and why |
|||
Standard Flow Enabled → AuthorizationCode Grant Type
Implicit Flow Enabled → Implicit Grant Type
Direct Access Grants Enabled → Resource Owner Password Grant Type
Service Accounts Enabled → Client Credential Grant Type