Keycloak
Application security is becoming a more and more important topic on a day-to-day basis. Unauthorized access to protected data can potentially cost millions of dollars in the form of various financial penalties. Almost every application needs some reliable tool to manage its users’ identities and accesses.
There are a bunch of solutions on the market — both free and paid — that promise to provide such features. In this blog, I will try to present you one of these tools, which as you probably guess from the title, will be Keycloak.
What Is Keycloak?
It is a tool for “Identity and Access Management”, as written on their project page on GitHub. Additionally, Keycloak is an open-source tool currently licensed with Apache License 2.0. It is also an upstream project for Red Hat SSO, so if you are looking for something more enterprise-centered, you can check it.
The full list of supported platforms depends on which protocol you decide to use, currently Keycloak supports three different protocols, and can be viewed in documentation. Keycloak’s initial release took place in September 2014; the current version is 18. It is developed and maintained by people from Red Hat. They are open to new contributors if anyone is interested.
Keycloak Features
After the brief introduction from the previous paragraph, I think it is time to tell you more about what Keycloak can do.
Multiple Protocols Support
As for now Keycloak supports three different protocols, namely - OpenID Connect, OAuth 2.0 and SAML 2.0.SSO
Keycloak has full support for Single Sign-On and Single Sign-Out.Admin Console
Keycloak offers web-based GUI where you can “click out” all configurations required by your instance to work as you desire.User Identity and Accesses
Keycloak can be used as a standalone user identity and access manager by allowing us to create users database with custom roles and groups. This information can be further used to authenticate users within our application and secure parts of it based on pre-defined roles.External Identity Source Sync
In case when your client currently has some type of user database, Keycloak allows us to synchronize with such database. By default, it supportsLDAP
andActive Directory
but you can create custom extensions for any user database using Keycloak User storage API. Keep in mind that such a solution may not have all data necessary for Keycloak to be fully functional, so remember to check if your desired functionality works.Identity Brokering
Keycloak can also work as a proxy between your users and some external identity provider or providers. Their list can be edited from Keycloak Admin Panel.Social Identity Providers
Additionally, Keycloak allows us to use Social Identity Providers. It has built-in support Google, Twitter, Facebook, Stack Overflow but, in the end, you have to configure all of them manually from admin panel. The full list of supported social identity providers and their configuration manual can be found in Keycloak documentation.Pages Customization
Keycloak lets you customize all pages displayed by it to your users. Those pages are in.ftl
format so you can use classicHTML
markups andCSS
styles to make the page fit your application style and your company brand. You can even put customJS
scripts as part of pages customization so possibilities are limitless.
These are all of Keycloak features which I wanted to describe today. Of course, this tool offers even more possibilities, which are described in a much more detailed way in the documentation.
Distributions of Keycloak
Currently, Keycloak has three major distributions.
Server
Standalone application is downloadable from Keycloak page in form of a tar or zip archive with all scripts, docs, and assets needed to work normally. As for now, there are two main versions of this distribution: one is powered by WildFly server while the other is powered by Quarkus. It is now in preview stage so some unexpected error may occur.Docker Image
Distribution appropriate for Docker, Podman, Kubernetes, and OpenShift. There are two official docker images for Keycloak: one is held in Quay Container Registry -quay.io/keycloak/keycloak
, the second one is held in Docker Hub -jboss/keycloak
. You can download both of them with a simpledocker pull
command.Operator
Distribution for Kubernetes and OpenShift based on Operator SDK.
As you can see, everybody can find an appropriate distribution. If you use Docker or Kubernetes you have Keycloak image and operator. On the other hand, if you prefer a more conventional deployment type you will also find a distribution for you. Even then Keycloak Docker image can be extremely useful for development and testing.
You can set up your test Keycloak server then do changes and test them. After tests you can restart your Docker image and all changes made to your Keycloak will be reverted and you will get a clear environment for further tests. All three distributions can be downloaded from here.
Keycloak Integrations
So now you know basics of Keycloak and its features. The last remaining question is - how to integrate it into your app?
Here I will speak mostly from the perspective of Java eco-system
but I will mention also some other languages and frameworks. In Java currently the most popular frameworks like Spring Boot, Quarkus and Micronaut have some sort of adapters that make integrating with Keycloak really easy.
In case of Spring Boot, it is spring-boot-keycloak-starter while in case of Quarkus it is quarks-keycloak-authorization.
On the other hand, in Python package python-keycloak seems pretty useful.
For Scala-based application library, keycloak4s also sounds good.
For C# based application Keycloak.Net looks like a handy lib.
All libraries are open source, developed and maintained by the community built around Keycloak. I will put respective links in the end of the article.
In the case of Spring Boot and Quarkus, thanks to the framework provided abstractions, the whole integration requires just a few lines of code and filling some configuration properties. In other cases, libraries only provide clients for Keycloak API so integration could be more complex.
Why You Should Know Keycloak
First of all, it is free. You may think that it is funny but in fact, most tools with such features like AuthO or Okta are paid.
Secondly, it supports three different authentication protocols which give you the possibility to cover many applications with different security demands with a single tool.
Additionally, you can choose an authentication protocol basing on what you need or what you think will be better for your application and you are not limited by the tool you are using. Keycloak is also an upstream project for Red Hat SSO product so you can be sure that it is a well written and well designed system.
Moreover, it has big community support which guarantees that there are a lot of examples of how to do something and that you can count on others to help you with your problems. Keycloak can be very useful when your client has some existing user database like LDAP or Active Directory because it has a built-in mechanism for synchronization with such identity providers.
Additionally, Keycloak supports social identity providers like Google or Facebook straight out of the box so if you want to use Social Login, Keycloak may be very useful for you and your team.
Furthermore, it provides web-based GUI which makes any configurations changes easier. In the end, thanks to Keycloak SSO support you can facilitate your users’ access to multiple services run by your company.
Comments
Post a Comment