What is Keycloak?
Keycloak is an open-source Identity and Access Management solution developed primarily by Red Hat that has achieved broad adoption, targeted towards modern applications and services. Keycloak provides the flexibility to export and import configurations easily, using a single view to manage everything.
Keycloak is based on standard protocols and provides support for OpenID Connect, OAuth 2.0, and SAML.
- Single Sign On:
- Users authenticate with Keycloak rather than individual applications which means your applications don’t have to deal with login forms, authenticating users, and storing users. Once logged-in to Keycloak, users don’t have to login again to access a different application.
- This also applied to logout. Keycloak provides single-sign out, which means users only have to logout once to be logged out of all applications that use Keycloak.
- If your users authenticate to workstations with Kerberos (LDAP or active directory) they can also be automatically authenticated to Keycloak without having to provide their username and password again after they log on to the workstation.
- Identity Brokering and Social Login:
- Enabling login with social networks is easy to add through the admin console just need to select the social network you want to add. No code or changes to your application is required.
- Keycloak can also authenticate users with existing OpenID Connect or SAML 2.0 Identity Providers. It’s just a matter of configuring the Identity Provider through the admin console.
- User Federation :
Keycloak has built-in support to connect to existing LDAP or Active Directory servers. It can be implemented for own provider if you have users in other stores, such as a relational database.
- Client Adapters:
This makes it really easy to secure applications and services. We have adapters available for a number of platforms and programming languages. Keycloak is built on standard protocols so you can use any OpenID Connect Resource Library or SAML 2.0 Service Provider library.
- Admin Console:
Admin console administrators can centrally manage all aspects of the Keycloak server. They can enable and disable various features. They can configure identity brokering and user federation. They can create and manage applications and services, and define fine-grained authorization policies.
They can also manage users, including permissions and sessions.
- Account Management Console:
Using account management console users can manage their own accounts which means they can update the profile, change passwords, and set up two-factor authentication. Users can also manage sessions as well as view history for the account. If you’ve enabled social login or identity brokering users can also link their accounts with additional providers to allow them to authenticate to the same account with different identity providers.
Importance of Keycloak
- Strong Authentication: Keycloak comes with different authentications such as OTP, Web Authentication, Custom flows, etc. Keycloak has a number of policies you can set up for your FreeOTP or Google Authenticator One-Time Password generator. There are two types: TOTP(Time based OTP) and HOTP(Counter based OTP).
- Authorization: Keycloak supports roles, groups, and centralized authorization as well. IAM systems provide tools and some technologies to the administrators to change a user’s role, keeping track of user activities etc.
- Federation: It has Identity federation which means to authenticate a user without knowing his/her password can be done by a system using the federated identity. Ex: LDAP, Active Directory, Custom store, external identity provider, etc.
- Customizable and Easy to use: It comes with different consoles so that users and admin can configure it and also deploy their own custom codes.
Keycloak Working Procedure:
- The user will be redirected indeed to the keycloak authentication page. After providing username and password, keycloak redirects the user back to the application again with a code that is valid to a very short span of time.
- The application communicates this code to keycloak along with the application ID and the application secret, then keycloak replies with the Access token, ID token, and a refresh token. Your application will need only one of these tokens to see which claims the user has, and according to the claims, the user will be granted or denied access to the requested protected URL(s).
Keycloak with OpenID Connect (OIDC)
OIDC is an authentication protocol that is an extension of OAuth 2.0. OAuth 3.0 is only a framework for building authorization protocols, but OIDC is a full-fledged authentication and authorization protocol. OIDC authentication flow when integrated with keycloak:
- Browser visits application. The application notices the user is not logged in, so it redirects the browser to keycloak to be authenticated. The application passes along a call-back URL (a redirect URL) as a query parameter in this browser redirect that keycloak will use when it finishes authentication.
- Keycloak authenticates the user and creates a one-time, very short-lived, temporary code. Keycloak redirects back to the application using the call-back URL provided earlier and additionally adds the temporary code as a query parameter in the call-back URL.
The application extracts the temporary code and makes a background out of band REST invocation to keycloak to exchange the code for identity, access, and refresh token. Once this temporary code has been used to obtain the tokens, it can never be used again. This prevents potential replay attacks.
Is Keycloak a complete enterprise IAM solution?
Many companies would like to use one of the two Red Hat solutions as an IAM system but they ask themselves why we don’t exclusively use Keycloak as a holistic IAM solution. Ultimately, this solution already contains user and access management out-of-the-box.
The reason is obvious: From our many years of experience, we know that the Keycloak components merely satisfy simple, rudimentary requirements. They mostly are not sufficient for more complex, enterprise applications and portals. For example, the Keycloak functions by far do not satisfy the requirements of data protection in accordance with the European General Data Protection Regulation (EU-GDPR).
Top Alternatives to Keycloak
- Keeper Password Manager
- Microsoft Azure Active Directory