Keycloak Security Settings

Client Attributes

Root URL

Parameter Description

Attribute

Root URL

Description

Root url is just a value that will be used for relative paths resolving.
It is optional & typically used as a base URL for redirecting users to Keycloak for authentication, or for making API calls to the Keycloak server.

Possible values

https://kbiam.kanilebettu.in/realms/kbt-developers/console

Recommendations

Use a fully qualified URL, Use a secure https protocol, Do not include a trailing slash

Our decisions : what and why

Home URL

Parameter Description

Attribute

Home URL

Description

Default URL to use when the auth server needs to redirect or link back to the client. An optional attribute that you can configure for a client to define the home page or landing page after successful authentication.

Possible values

https://kbiam.kanilebettu.in/admin/realms

Recommendations

This is optional

Our decisions : what and why

Valid redirect URIs

Parameter Description

Attribute

Valid redirect URIs

Description

After login, user could be redirected to any URI that matches pattern

Possible values

in.kb.mtrace.mdesk:/oauth2redirect
http://localhost:4200
https://mercodesk.kanilebettu.in
https://servicesqa.kanilebettu.in/v1/md/so/health/

Recommendations

Our decisions : what and why

Valid post logout redirect URIs

Parameter Description

Attribute

Valid post logout redirect URIs

Description

specifies the valid redirect URIs after the user logs out.

Possible values

in.kb.mtrace.mdesk:/oauth2redirect
https://servicesqa.kanilebettu.in/v1/md/sp/health/

Recommendations

Our decisions : what and why

Web origins

Parameter Description

Attribute

Web origins

Description

Set the allowed origins for web-based clients. To permit all origins of Valid Redirect URIs, add '+'.

Possible values

http://localhost:4200

Recommendations

Minimize Wildcards(*) , Use Same Protocol as Application (https)

Our decisions : what and why

Admin URL

Parameter Description

Attribute

Admin URL

Description

URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.

Possible values

https://kbiam.kanilebettu.in/admin/

Recommendations

Limit Admin URL Access, Use Strong Authentication (admin passwords)

Our decisions : what and why

Frontchannel Logout URL

Parameter Description

Attribute

Frontchannel Logout

Description

If enabled, it ensures that all logged-in sessions are terminated and redirects the user to the application’s post-logout URI. If not provided, it defaults to the base url.

Possible values

Recommendations

Our decisions : what and why

Authorization

Parameter Description

Attribute

Authorization

Description

Enables or disables fine-grained authorization support for this client.

Possible values

Resource-Based Authorization (RBAC): RBAC associates permissions directly with resources, allowing granular control over access to specific resources.

Recommendations

Use Scopes for Granular Control, Assign Permissions Based on Roles, Utilize RBAC for Resource-Level Access

Our decisions : what and why

Authentication flow

Parameter Description

Attribute

Authentication flow

Description

The sequence of actions a user or a service needs to perform to be authenticated.

Possible values

Multi-factor authentication (MFA) , Avoid direct grant flow

Recommendations

Session Management, Redirection Minimization

Our decisions : what and why

Standard Flow

Parameter Description

Attribute

Standard Flow

Description

Standard Flow Enabled property is used to activate the Authorization Code Flow as defined in the OIDC standard. Enables support of 'Authorization Code Flow' for this client.

Possible values

Recommendations

It’s the recommended protocol to use for authenticating and authorizing browser-based applications.

Our decisions : what and why

Direct access grants

Parameter Description

Attribute

Direct access grants

Description

This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token.

Possible values

Enables support of 'Resource Owner Password Credentials Grant' for the client.

Recommendations

Our decisions : what and why

Implicit Flow

Parameter Description

Attribute

Implicit Flow

Description

This enables support for OpenID Connect redirect based authentication without authorization code.

Possible values

Recommendations

Not recommended

Our decisions : what and why

Service account role

Parameter Description

Attribute

Service account role

Description

A service account can also serve as a proxy that performs tasks on behalf of a user. Enables support of 'Client Credentials Grant' for the client.

Possible values

Users in role : service-account-mercotrace-india

Recommendations

Use the Principle of Least Privilege

Our decisions : what and why

Client secret rotation

Parameter Description

Attribute

client secret rotation

Description

The client secrets rotation policy provides greater security in order to alleviate problems such as secret leakage

Possible values

https://www.keycloak.org/docs/latest/server_admin/index.html#_secret_rotation

Recommendations

Client Secret Rotation support is in development. It can be done manually for every 3 days.

Our decisions : what and why

Client scopes

Parameter Description

Attribute

Client scopes

Description

Client scopes are a common set of protocol mappers and roles that are shared between multiple clients.

Possible settings,values & recommendations

Protocol mappers
Protocol mappers are responsible for extracting information from Keycloak and adding it to the access token for each client.

Scopes
If there is no role scope mapping defined, each user is permitted to use this client scope. If there are role scope mappings defined, the user must be a member of at least one of the roles.

Our decisions : what and why

Realm Roles

Parameter Description

Attribute

Realm Roles

Description

Defining realm roles and assigning them to users, you can control which users have access to specific actions or resources within the realm. Typically used for global permissions of the applications.

Possible values

Default realm roles : default-roles-kbt-india ,offline_access, uma_authorization.
Note: This role serves as a container for both realm and client default roles. It cannot be removed.

Recommendations

Principle of Least Privilege

Our decisions : what and why

Realm settings

Parameter Description

Attribute

Realm settings

Description

Realm settings are settings that control the options for users, applications, roles, and groups in the current realm.

Recommendations

Security defenses/Brute force detection

Parameter Description

Attribute

Security defenses/Brute force detection

Description

By default OFF. If turned ON, a user account will be temporarily disabled if a threshold of login failures is reached.

Possible settings,values & recommendations

Max login failures
How many failures before wait is triggered.

5 times

Permanent lockout
If enabled wait increment, max wait, failure reset time will be disabled.

Wait increment
Max time a user will be locked out.

1 min

Max wait
Max time a user will be locked out.

15 min

Failure reset time
When will failure count be reset?

12 hrs

Quick login check milliseconds
If a failure happens concurrently too quickly, lock out the user.

1000 ms

Minimum quick login wait
How long to wait after a quick login failure.

10 min

Our decisions : what and why

Password policies

Parameter Description

Attribute

Password policies

Description

When an Admin sets a password for new user/changes password for existing user/changing password for himself using users or login page. This is applied to users within the particular realm.

Possible values

Recommendations

Minimum Length: 8 characters
Uppercase Characters: 1
Lowercase Characters: 1
Special Characters: 1
Digits: 1
Hashing algorithms & password blacklist

Our decisions : what and why

Session(Menu)

Parameter Description

Attribute

Session settings(Menu)

Description

When users log into realms, Keycloak maintains a session for each user and remembers each client visited by the user within the session.
1.Signing out all active sessions → It is generally sign out all users in the realm. From the Action list, select Sign out all active sessions. All SSO cookies become invalid. Clients requesting authentication within active browser sessions must log in again.
2.Revoking active sessions → If the system is compromised, we can revoke all active sessions and access tokens. Specify a time and date where sessions or tokens issued before that time and date are invalid using this console.

Possible values

Recommendations

Our decisions : what and why

Session settings

Parameter Description

Attribute

Realm settings(Menu)

Description

From a user experience perspective, Keycloak relies on sessions to determine whether users and clients are authenticated, for how long they should be authenticated, and when to re-authenticate.

Possible settings,values & recommendations

SSO Session Idle
Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.

1 day

By considering user experience & security, use refresh tokens to obtain new access tokens without requiring the user to log in again.

SSO Session Max
Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.

1 day

SSO Session Idle Remember Me
Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.

1 day

If not set it uses the standard SSO Session Idle value.

SSO Session Max Remember Me
Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired.

0

If not set it uses the standard SSO Session Max value.

Client Session Idle
Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired.

1 day

If not set it uses the standard SSO Session Idle value.

Client Session Max
Max time before a client session is expired. Tokens are invalidated when a session is expired.

1 day

If not set it uses the standard SSO Session Max value.

Offline Session Idle
Time an offline session is allowed to be idle before it expires.

30 days

You need to use offline token to refresh at least once within this period; otherwise offline session will expire.

Offline Session Max Limited
Disabled by default. If enabled ,Max time before an offline session is expired regardless of activity.

60 days

Max time before an offline session is expired regardless of activity.

Login timeout
Max time a user has to complete a login.

30 min

This is recommended to be relatively long, such as 30 minutes or more

Login action timeout
Max time a user has to complete login related actions like update password or configure totp.

5 min

This is recommended to be relatively long, such as 5 minutes or more.

Our decisions : what and why

Refresh tokens - Realm settings(Tokens)

Parameter Description

Attribute

Tokens - Realm settings(Tokens bar)

Description

1.Revoke Refresh token→ If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times.
2.Refresh Token Max Reuse→ Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.

Recommendations

Our decisions : what and why

Access tokens

Parameter Description

Attribute

Access tokens

Description

An access token is a credential that represents the authorization granted to a client (application) to access a protected resource on behalf of a user.

Possible settings,values & recommendations

Access Token Lifespan
Max time before an access token is expired.

1 day

It is recommended for this value to be shorter than the SSO session idle timeout: 1 day

Access Token Lifespan For Implicit Flow
Max time before an access token issued during OpenID Connect Implicit Flow is expired. There is no possibility to refresh token during implicit flow.

15 hrs

This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow

Client Login Timeout
Max time a client has to finish the access token protocol.

1 min

This should normally be 1 minute.

Our decisions : what and why

Action tokens

Parameter Description

Attribute

Action tokens

Description

Action tokens on Keycloak refer to the tokens used to perform certain administrative actions or trigger specific events within the Keycloak server

Possible settings,values & recommendations

User-Initiated Action Lifespan
Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired.

5 min

This value is recommended to be short because it’s expected that the user would react to self-created action quickly.

Default Admin-Initiated Action Lifespan
Maximum time before an action permit sent to a user by administrator is expired. The default timeout can be overridden immediately before issuing the token.

12 hr

This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.

Our decisions : what and why

Standard Flow Enabled → AuthorizationCode Grant Type
Implicit Flow Enabled → Implicit Grant Type
Direct Access Grants Enabled → Resource Owner Password Grant Type
Service Accounts Enabled → Client Credential Grant Type