Recently I took up the task of implementing the login feature of our application. I took it up knowing I know nothing, so that I’ll learn it and do it and come out of it learning something new and with some knowledge on how things work. I kind of knew that my implementation would involve Keycloak, a software we use for Authentication and Authorization feature in our app. But little did I realize that I would have to also work with CSS to customize the theme of our login page, instead of using the default theme of the super cool Keycloak default login page.

Disclaimer: I’m no security expert. The post is more from a techy user’s perspective, with little research. I’m usually always into guessing what goes on behind the scenes of some technology and then checking online more about it and then understanding how it’s actually done. So, in this post, I’m going to be talking about One Time Passwords (OTPs) and going to try to take a crack at how it is probably implemented behind the scenes.

For me, usually the fastest way to getting started with any big software - server side software, with other components (backend, proxy etc) is using docker and/ docker-compose. Keycloak’s basic setup would be a Keycloak server with a database. It supports many databases actually. The quickest way to get started with Keycloak would be to run Keycloak with H2 database, like this using docker $ docker run -d --name keycloak -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak It will take a few seconds or a minute to bootup.

In my current project, there was a decision made to use Keycloak for Identity and Access Management (IAM). People said that “You don’t need to write code to do authentication and authorization and reinvent the wheel, it’s already done by a lot of people. Keycloak is just really good, it just works, use it”. Now, I am pretty new to almost every technology in the project. So I’m still learning a lot of things.

Disclaimer: This blog post is very context specific, so please consider your application and it’s context, and accordingly see if you can use this strategy. Story and the Problem Recently in our project, we were writing a Dockerfile to build a Docker image for our React App. It didn’t have any server side to it, just a static app. We decided to serve the frontend files (HTML, CSS, Js) using Nginx web server.

In our project, we are building a web app, with backend. We use a separate service called Keycloak for Identity and Access Management. Given we have all this, initially we were exposing these through the same URL but with different ports Port 80 for our web app Port 8080 for the backend Port 80890 for Keycloak The user experience for the user accessing the web app looked something like this -

tldr; step GitHub repo - https://github.com/smallstep/cli $ # Reading from keyboard / standard input after running command. $ # Run command and then paste the JWT token as input and press Enter. $ step crypto jwt inspect --insecure eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }, "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } $ # Reading from file $ cat jwt-token.txt | step crypto jwt inspect --insecure { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }, "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } $ # Reading from environment variables $ echo $JWT_TOKEN | step crypto jwt inspect --insecure { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }, "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } Recently I was trying to decode the information present in a JWT token to understand what’s the information in it.

Really? I understand it’s a less used feature. I have not seen many people talk about it or use it, but hey, it’s an important security feature - as anyone can masquerade as someone else! I mean, ideally it won’t happen, in a company or organization where everyone is trusted. It’s still a good thing. Also, if some open source community is using it, it’s still good. I don’t know what’s the deal, but BitBucket Cloud doesn’t support Git commit signing as of this writing

I recently found out about the She Loves Data (SLD) community through my amazing company. Apparently quite a few colleagues of mine are volunteering and helping the SLD community. There was this Introduction to Python workshop by SLD and I found out that they are looking for volunteers as there were a lot of registrations. I was encouraging some of my friends to volunteer and mentor in the workshop to help participants.

Disclaimer: I’m not some genius. The below are just my thoughts / opinions based on experience. I’m not basing it off of any facts really. I’ll be pretty straight forward on this. We live in a very crazy competitive world. Almost everything seems to be a race. Even if you don’t want to be in it, you are kind of in it, or at least affected by it. Atleast that’s my opinion.