Konstantin Dzekov has been with the Semantic Web Company for over 3 years now. He is a Software Engineer working primarily in the backend with Java. Starting in early fall 2021, Konstantin had an integral role in determining the external services that PoolParty uses for this release’s security features and implementing them successfully.
Hear about his experience by clicking on the questions and viewing the transcript.
Tell us how you got started with this release.
So I was involved in PoolParty 2022 from the very beginning in the sense that I was part of the technology evaluation. PoolParty 2022 is about externalizing the authentication and authorization towards a service, and I evaluated the proposed technologies. After assessing 3 options, we decided upon Keycloak.
How did you come to the conclusion when you were doing your evaluation that Keycloak is the best?
Through a couple of points like how the integration would look, the level of complexity, and flexibility towards requirements for the API of two-factor authentication. We decided on Keycloak because it was open source, lightweight – which means you can easily manage it – and our own developers had a lot of previous knowledge about Keycloak so we felt best prepared with it.
At the end, Keycloak is an industry leader in the services they provide, so we are on the safest side.
Once the evaluation was done, does that mean that you worked quite extensively on that authentication feature? What other roles did you have?
After we decided to go with Keyclock and basically when development of PoolParty 8 ended, we started intensive product backlog refinements. In the summer 2021, we had a 2×3 sprint or even weekly product backlog refinement so we worked on refining the stories and the tickets so that we can already start from August or early September with the development process.
So it was quite intensive to get PoolParty 2022 release going. But it was also an inspiring period in the way that you learned a lot of things in a short amount of time. There was also a big challenge because we externalized the authorization and authentication which means a complete change of the related PoolParty architecture. Previously this part was developed to work with the local store, but we reintroduced a completely new architectural layer that works with Keycloak. We completely changed the workflow for authentication and authorization.
Can you speak to some challenges you may have experienced?
Yes, there were plenty of implementation challenges that we overcame.
The first thing was to completely re-configure PoolParty to work with Keycloak. So PoolParty has 3 major components: the PoolParty Thesaurus, PoolParty GraphSearch and PoolParty Extractor. The team handled this quite well but still it required a lot of research of the Keycloak documentation and trials and errors. So the first step was to configure PoolParty and to enable some basic workflow which required some work and we introduced this token handler. The authentication changed from basic authentication to OAuth2 which means Keycloak sends a token and then you have to handle this token. So we had to enable workflows in PoolParty – to log into PoolParty, to see the project, all those basics.
The second stage was to completely change the user management so we went through the users, groups, the roles and with this basically we introduced these architectural changes and added the services that work with Keycloak.
Keycloak and security are such an integral part of this release. How did you decide as a team to focus on these topics and features?
Security is quite simply the focus of people’s minds lately. We chose this because of the plain fact that when you delegate authentication and authorization towards external services, you automatically increase the security because the responsibilities are delegated to this service instead of only being maintained by us. This also improves the integration with third-party identity providers because we know that we have clients who have other identity providers that they want to integrate with PoolParty, but this could be a bit cumbersome until now.
Now Keycloak enables really easy integration with the third party identity providers through SSO. Implementing an authenticator was decided from a higher level, but the reason was obvious: to respond to our clients with better solutions for services they’re already using.
From your perspective, which feature do you think users can be most excited about?
I think this integration part with SAML because it will bring less headache and be much faster with how their identity providers will be integrated to Keycloak.
They can rely more on PoolParty regarding the security part. The PoolParty 2022 release will now provide two-factor authentication and a good protection towards brute force attacks of passwords.
So they can feel more secure and confident in the product.
If there’s anything else you want to add, the floor is open to you 🙂
I just want to touch back on overcoming the challenges.
We had to figure out how to generate the default user settings when you create a user and we developed a plugin like a Keycloak extension that works within it. So basically we externalized this responsibility from PoolParty with this plugin which hasn’t been done before.
Instead of a clunky manual migration, we also introduced on-the-fly migration where users migrate themselves automatically into Keycloak as soon as they log into PoolParty and this happens in the background and it is a really clean and nice process. So I’m proud of being involved in these two solutions and the overall development process of the release.
Implementing an authenticator was decided from a higher level, but the reason was obvious: to respond to our clients with better solutions for services they’re already using.
Interested in learning more about the PoolParty 2022 release? Head over to our release hub for all the content and more developer interviews.