avatarAbhishek koserwal

Summary

Keycloak is an open-source identity and access management solution that provides a comprehensive framework for securing applications, services, and APIs with support for standard protocols like OpenID Connect, OAuth 2.0, and SAML 2.0.

Abstract

The web content introduces Keycloak as a versatile and reliable open-source identity solution suitable for various applications, from frontend and mobile to monolithic and microservice architectures. It emphasizes Keycloak's flexibility in configuration management, its support for standard security protocols, and its ability to integrate with a wide range of applications and tools. The article also clarifies the distinction between OAuth 2.0 and OpenID Connect, highlighting Keycloak's capabilities in identity management, authentication, and authorization. It provides practical guidance on setting up Keycloak using Docker or standalone JBoss/Wildfly, and outlines the core features, including user management, LDAP/Active Directory integration, and custom theming. The content also discusses the considerations for application integration, such as choosing the right protocol and adapter based on the application's architecture and security needs. Finally, it offers a step-by-step guide for integrating applications with Keycloak and hints at upcoming posts detailing integration patterns with various frameworks and platforms.

Opinions

  • Keycloak is presented as a robust and production-ready solution, backed by Red Hat's Red Hat SSO, which is the downstream version of Keycloak.
  • The article suggests that Keycloak's open-source nature offers cost benefits, customizability, and community support, with an Apache License Version 2.0.
  • There is an emphasis on the importance of understanding the difference between OAuth 2.0 (authorization) and OpenID Connect (identity, authentication, and authorization) when considering Keycloak for identity management.
  • The author advises using realms for better management of configurations and recommends against using the master realm for anything other than administration.
  • The content suggests that Keycloak's integration mechanisms are flexible enough to accommodate various types of architectures, including SPA, microservices, serverless, and MVC.
  • The article encourages readers to follow best practices for security by identifying resources and end-points that need protection and choosing the appropriate Keycloak adapter for their architecture.
  • The author expresses enthusiasm for Keycloak's capabilities and its potential to secure coding practices, inviting readers to explore further integration patterns in upcoming posts.

Keycloak Essentials

Open Source Identity Solution for Applications, Services, and APIs

In this post, we will see the core concept of Keycloak and application integration mechanisms. You can integrate frontend, mobile, monolithic application to microservice architecture. It gives the flexibility to export and import configuration easily and gives a single view to manage everything.

Why I should use Keycloak?

  • Reliable Solution

“Red Hat running on Red Hat products (Red Hat SSO)”: the entire authentication/authorization system is based on Red Hat SSO, which is the downstream version of upstream product keycloak. It is designed following the standard security protocols to provide a dynamic single sign-on solution to small/large scale industry.

  • Open Source (3C’s) : Cost, Customizable / Contributions, Community

Apache License Version 2.0 with support of strong active open source community

Is it ready for production?

Yes, it can be used in production (Make sure to ready documentation guide)

Standard Protocols (supported by keycloak)

  • OpenID Connect
  • OAuth 2.0
  • SAML 2.0

Applications/Tools that support integration with the above protocols can be plugged with Keycloak.

eg: Ansible tower can be integrated with keycloak or SAP BusinessIntelligence BI Platform SAML with Keycloak etc

Few things to clear out:

Oauth 2 != Authentication, only Authorization
OpenID Connect = Identity + Authentication + Authorization

Getting it up and running is easy:

Docker:

docker pull jboss/keycloak
docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak

Remember your configuration will be temporary in this scenario. Make sure to export.

Standalone (https://www.keycloak.org/downloads.html) similar to running

JBoss/Wildfly instance:

keycloak-4.4.0.Final/bin>./standalone.sh

Core

The realm is like a namespace that allows you to manage entire metadata/configuration. You can have multiple realms based on your required. it is recommended that avoid using master realm which is used for administration purpose only.

It provides the various feature in one single view:

  • User Management (User/Groups)
  • Ldap/Active Directory Integration
  • Configuration management.
  • Custom theme (UI)
  • Events
  • Federation
  • Clients(Per application you can have one client which holds details like URL, protocol, redirect URL)

App/Tools/Services Integration

Before jumping on to thinking about the integration, decide on the following things:

  • Decide the Protocol (SAML/OpenID connect/Oauth2): Looking for authentication or authorization?
  • For the application part:
  • Is it running on a container (Stateless) or having a legacy clustered (shared state) environment.
  • Type of your architecture: Single page applications (SPA), Microservices, Serverless, MVC, etc
  • Identify the resources/end-points you wanted to secure: is it the integration between client-server, service-to-service, API end-points, etc
  • Identify which Adapter will be suited for your architecture.

Steps to Integrate:

  • Create a Realm (you can use master for a dev environment, have a realm based on your domain name. eg: external-apps, internal-apps, etc)
  • Create a Client for your application (hello-world-app)
  • Client configuration requires details like Protocol: SAML/OpenID, Resource Endpoint: https://localhost:8080/ (You application host details), Redirect URI: After the auth completes where you want to redirect.
  • Add client configuration to your application: clientId: hello-world-app, realm: external-apps, keycloak host URL, etc.

That’s all you need to configure your application with keycloak.

Thank you for reading this post, I will be adding integration patterns with various frameworks & platforms in the upcoming post.

Keycloak Integrations with:

If you like this post, give a Cheer!!!

Follow the Collection: Keycloak for learning more…

Happy Secure Coding ❤

Authentication
Keycloak
Single Sign On
Open Source
Openid Connect
Recommended from ReadMedium
avatarAbhishek koserwal
Securing FastAPI with Keycloak

FastAPI is known for its performance and ease of use, making it a great match with Keycloak, a robust identity and access management…

7 min read
avatarGenesta Sebastien
Kubernetes — Security — SSO Authentication using OAuth2 Proxy and Keycloak

This article deals with how to easily setup authentication for your applications using OAuth2 Proxy (and Keycloak as OAuth2 provider).

5 min read
avatarMszPro
Use Keycloak to log into Google Workspace (KeyCloak 25 SAML SSO)

This guide talks about setting your enterprise Keycloak as a way your employee can log into their Google Workspace.

3 min read
avatarMohit Sehgal
Implementing OAuth2 using KeyCloak as Authorization Server

In this article, we will do the following:

5 min read
avatarRabinarayan Patra
Harnessing the Power of Azure AD B2C: A Complete Setup and API Management Guide

Explore how to set up and manage Azure AD B2C, enhancing app security and user experience with our guide on initial setup and API usage.

10 min read
avatarSanthiya Gunasekaran
Introduction to Keycloak Admin API

I encountered this situation where I had to onboard users into my application. The user onboarding includes creating a new application…

6 min read