Keycloak Essentials
Open Source Identity Solution for Applications, Services, and APIs
In this post, we will see the core concept of Keycloak and application integration mechanisms. You can integrate frontend, mobile, monolithic application to microservice architecture. It gives the flexibility to export and import configuration easily and gives a single view to manage everything.
Why I should use Keycloak?
- Reliable Solution
“Red Hat running on Red Hat products (Red Hat SSO)”: the entire authentication/authorization system is based on Red Hat SSO, which is the downstream version of upstream product keycloak. It is designed following the standard security protocols to provide a dynamic single sign-on solution to small/large scale industry.
- Open Source (3C’s) : Cost, Customizable / Contributions, Community
Apache License Version 2.0 with support of strong active open source community
Is it ready for production?
Yes, it can be used in production (Make sure to ready documentation guide)
Standard Protocols (supported by keycloak)
- OpenID Connect
- OAuth 2.0
- SAML 2.0
Applications/Tools that support integration with the above protocols can be plugged with Keycloak.
eg: Ansible tower can be integrated with keycloak or SAP BusinessIntelligence BI Platform SAML with Keycloak etc
Few things to clear out:
Oauth 2 != Authentication, only Authorization
OpenID Connect = Identity + Authentication + Authorization
Getting it up and running is easy:
Docker:
docker pull jboss/keycloak
docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak
Remember your configuration will be temporary in this scenario. Make sure to export.
Standalone (https://www.keycloak.org/downloads.html) similar to running
JBoss/Wildfly instance:
keycloak-4.4.0.Final/bin>./standalone.sh
Core
The realm is like a namespace that allows you to manage entire metadata/configuration. You can have multiple realms based on your required. it is recommended that avoid using master realm which is used for administration purpose only.
It provides the various feature in one single view:
- User Management (User/Groups)
- Ldap/Active Directory Integration
- Configuration management.
- Custom theme (UI)
- Events
- Federation
- Clients(Per application you can have one client which holds details like URL, protocol, redirect URL)
App/Tools/Services Integration
Before jumping on to thinking about the integration, decide on the following things:
- Decide the Protocol (SAML/OpenID connect/Oauth2): Looking for authentication or authorization?
- For the application part:
- Is it running on a container (Stateless) or having a legacy clustered (shared state) environment.
- Type of your architecture: Single page applications (SPA), Microservices, Serverless, MVC, etc
- Identify the resources/end-points you wanted to secure: is it the integration between client-server, service-to-service, API end-points, etc
- Identify which Adapter will be suited for your architecture.
Steps to Integrate:
- Create a Realm (you can use master for a dev environment, have a realm based on your domain name. eg: external-apps, internal-apps, etc)
- Create a Client for your application (hello-world-app)
- Client configuration requires details like Protocol: SAML/OpenID, Resource Endpoint: https://localhost:8080/ (You application host details), Redirect URI: After the auth completes where you want to redirect.
- Add client configuration to your application: clientId: hello-world-app, realm: external-apps, keycloak host URL, etc.
That’s all you need to configure your application with keycloak.
Thank you for reading this post, I will be adding integration patterns with various frameworks & platforms in the upcoming post.
Keycloak Integrations with:
If you like this post, give a Cheer!!!
Follow the Collection: Keycloak for learning more…
Happy Secure Coding ❤