TideCloak 0.5.3
Keycloak version 25.0.6
Detailed release notes here.
Introduction of a new Tide-key-provider to keycloak. A key that can never be lost.
This release is the first introducing a decentralized private key for a vendor (Vendor Verifiable Key - VVK).
tEdDSA key provider from TideCloak
TideCloak adds a new key provider named tide-vendor-key of type EdDSA that replaces the native EdDSA provider in Keycloak. This provider represents a core realm key that uses Tide as its key vault - meaning, it doesn't store the private (secret) part on Keycloak. Once installed, TideCloak will use that key exclusively for the realm OIDC clients.
Activation / management of license
To consume service from Tide's Cybersecurity Fabric, to operate on the VVK, for example, it requires activating licensing for that realm. While the management of the license is done through the tide-vendor-key, it can be done from tide-idp as well.
To manage the license through tide-idp, go to Identity providers menu -> Tide social -> Manage License button.
On the first activation of the license, you'd need to press the Request License button and complete the (freemium) registration on Stripe. That will create a new tide-idp for that realm as well as a new tide-vendor-key.
To manage the license through key-providers, go to Realm settings menu -> Keys tab -> Add provider tab -> tide-vendor-key item -> License tab.
JWK export for platform devs
In the license management tab (under the tide-vendor-key), you can find an Export option for the JSON Web Key (JWK) of that key. This is required when securing applications that require the public key of that realm.
Experimental: IGA (Identity Governance Administration)
Identity Governance and Administration (IGA) is a framework of processes, policies, and tools that organizations use to manage and control access to their systems, data, and resources securely and efficiently. It ensures that the right people have the appropriate level of access to the right resources at the right time while preventing unauthorized or excessive access.
In TideCloak context, the IGA layer is a critical aspect of security as it guarantees that no single administrator has "the keys to the kingdom". With TideCloak IGA, changes affecting users access rights require review and approval of several administrators before those changes are applied. TideCloak is the only administration system that guarantees against bypassing its IGA via cryptographic proofs.
Feature Toggle per realm
Ability to enable and disable IGA for any specific realm.
Available in Realm settings menu -> General tab -> Identity Governance and Administration toggle button
Change Requests drafting
With IGA enabled, changes affecting users' role assignment (such as assigning roles to users directly, or changing the roles in a composite role) aren't being applied immediately when an admin provision it. Instead, such a change adds a Change Request for the administrators queue to review and approve.
Change Requests admin's approval
Only when the minimum number of approvers sign-off on that request, the Change Request can be committed. Committment of change requests is cryptographically signed by the VVK after validating the request.
Change Request queue
The administors queue for all requests is managed in a TideCloak exclusive newly introduced administration menu under Change Requests menu item on the root menu.
Account invite process
TideCloak admins can now invite Tide account holders with an email based invite process. This process also allows users to link their existing TideCloak accounts to their Tide account. This feature is specifically valuable when user self-registration is set to off (Realm settings Menu -> Login tab -> User registration toggle) as it allows an administrator to pre-prepare a user's account in TideCloak, assign the relevant access-rights and then invite the user to attach their Tide account.
Steps in TideCloak admin:
- Prerequisit: make sure email is configured and tested to work in
Realm settingmenu ->Emailtab Authenticationmenu ->Required actionstab ->Link Tide Accounttoggle -> set toOnUsersmenu ->Create new userorAdd userbutton- Fill in the details in the
Create userform, specifically the user's email address and create the user via theCreatebutton - In the user's detail form, go to
Credentialstab ->Credential resetbutton ->Reset actionselection ->Link Tide Accountoption ->Send Emailbutton This will cause TideCloak to send an invite email to the user based on the address set in the user's details (in TideCloak). Once the user received the email, they can click on the invite link provided in the email, which will open Tide sign in portal for them to login. The user will be also able to sign up to Tide in this process, if they don't already have an account.
Pre-configured tidecloak-dev sandbox: a docker image for devs
As part of this release, developers can now run their own on-prem version of TideCloak, pre-configured with a realm, Tide IdP and test clients. The TideCloak development sandbox is a docker image deployed by executing
sudo docker run --rm -v .:/opt/keycloak/data/h2 -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password tideorg/tidecloak-dev:0.5.3
(note the -v switch for setting the TideCloak database to save on the local disk and make the sandbox persistant)
Once executed, it will take few minutes for the image to complete initialization. From there, follow these simple steps:
- Access your TideCloak administration console
- Log in using your admin credentials (Username: admin, Password: password, if you haven't changed it)
- Navigate to:
Identity Providersmenu -->tideIdP -->Licensestab - Click on the
Request Licensebutton - Go through the checkout process by providing a contact email. Within a minute or so, you'll get your TideCloak host licenced and activated.
- Go to our example application to test your setup at https://test.tidecloak.com/
ORK improvements
As part of this release, many significant improvements and additions were made to the Tide Cybersecurity Fabric nodes - the ORKs.
Database sync (Solved sign up performance issue)
This is probably the most signifcant improvement this release - as a user's sign-up process could take up to 18 seconds to complete. This improvement was achieved by implementing a real-time, robust database synchronization between the Master-ORKs and the rest of the ORKs in a way that doesn't lock up tables.
Improved error reporting
Better fault and warning mechanism was implemented across all modules in the ORK with visibility at either the system console or end user web interface (Secure Web Enclave).
Improved performance
Improvements in the tEd25519 cryptographic code were inroduced.
More automated tests
New account recovery process
Introduce Tide's decentralized account recovery ("forgot password") process utilizing multi email validation to enable password change for account takeover. This process is named account recovery because it cater for the case when an advesary find and replace the password of a user. This process works by acquiring a list of recovery email addresses when a user creates their account (up to 20 addresses). Each ORK holding that user's key will only know one of those addresses. On recovery request, each ORK node will send a partial account recovery access to the email address it holds. The user will then use the emails received on all recovery email addresses to regain control over their account and reset their password.
Steps to initiate process in the web enclave:
- Press the
Forgot Passwordlink - Enter Username to recover
- Press
Request Account Recovery - Click on the link in 14 of each of the 20 emails received
- Each will open a self-closing tab that can also be closed manually
- See progress on original enclave
- Account will be authenticated on the 14th click
- Finalize process by setting a new password
FAQ available at the bottom
At the bottom of the Request Account Recovery window, there's a detailed, informative list of FAQ's.
ORK disconnection recovery process
A new mechanism introduced for longer cycle to reconnect to Tide's fabric on disconnection.