[HN Gopher] Keycloak: Open-source identity and access management ___________________________________________________________________ Keycloak: Open-source identity and access management Author : fanf2 Score : 88 points Date : 2020-04-14 20:43 UTC (2 hours ago) (HTM) web link (www.keycloak.org) (TXT) w3m dump (www.keycloak.org) | SeriousM wrote: | For the dotnet world you can use and extend | https://identityserver4.readthedocs.io/en/latest/ | snuxoll wrote: | IdentityServer is a framework to roll your own IdP, it's not | fully functional out of the box like Keycloak. | xupybd wrote: | I've been meaning to play with this for a while. I'm planning on | evaluating how well it works as an authentication layer for | Hasura. Hasura looks really nice but would be no good to me | without an authentication layer. I found this connector as a stat | point https://github.com/httpsOmkar/keycloak-hasura-connector | ignoramous wrote: | https://userbase.com is a _serverless_ identity and access | management platform that might tie-in well with hasura. One of | the caveats is the _forgot password_ feature is tricky: | https://userbase.com/docs/faq/ | cdbattags wrote: | We use this at my company (Amplify) as a single "realm" | configuration with Google and and a few other identity providers | for "login with X". There's also some fun token exchange possible | for any openid connect provider. | | This means that I can swap Google access tokens for other access | tokens and vice versa. | | I'm also a contributor to the "frontend" piece of keycloak that's | a JavaScript library called keycloak-connect (these are known as | adapters). | | Also also, I'm a maintainer of https://github.com/cdbattags/lua- | resty-jwt that I'm using in tandem with the Keycloak RSA public | keys for auth at API gateway/network level. | | Ask me anything! | realdavidops wrote: | The best part is when you start chaining Keycloak instances | together. We've had a couple cases where customers have wanted | their own identity management, so we use an instance of | Keycloak to connect to our central keycloak instances and to | their solution of choice (Google, AzureAD, etc), and allows | everyone to use their preferred identity platform. | realdavidops wrote: | We've been using Keylocak in production as a multi-tenant SSO | solution for our service delivery. We've been incredibly | impressed with the stability and performance and found it | extremely effective. | | Keycloak is the upstream project of Red Hat SSO (edit: correct | name, thanks snuxoll.) | | Running in Kubernetes with RDS Postgres in AWS. | closeparen wrote: | I've only played with it, but was kind of put off by how much | of the 2FA credential management is only available to admins. | It's not like Duo where you can update your own enrolled | phones, U2F devices, and defaults. End users would have to ask | admins to do all that for them. | realdavidops wrote: | Hmm. I'm not sure what you mean. Users by default can use the | console to update their 2FA credentials. The only time I have | to intervene is when they lose their 2FA as it doesn't really | do backup codes. We do require 2FA as a part of our login | flows so this is something we're using heavily. | toomuchtodo wrote: | Any pitfalls you've encountered when implementing? | realdavidops wrote: | The biggest thing we encountered was related actually to our | initial deployment with active directory. This made logins | slow, but actually found we could remove the requirement for | Active Directory. | | It is super heavily based on Wildfly, and if you're not using | a tool like docker, it can be kind-of a burden. It runs | decently well in standalone mode, but we ended up using the | docker container's clustering with Kubernetes service | discovery helping to find the other nodes to achieve a | clustered deployment. | | Outside of that is has been extremely stable, we use | Kubernetes deployment mechanism along with a correctly | defined readiness check to allow us to seamlessly upgrade, | and we've gone from 4.3.0.Final to 7.0.1 in production | without any problems. We haven't upgraded to 8 or 9 yet as | we're actually working on some new frontend UI changes we | wanted to get out the door with the release. | snuxoll wrote: | It's highly integrated with Wildfly (or JBoss EAP for the | commercial product), so if you're not deploying it with the | Docker images expect to have _fun_ dealing with the special | hell that is Java application servers - setting up infispan | and configuring the database in JNDI at a minimum will | require some moderate reading. | | If you do use the Docker images it's pretty straightforward | though. | | Past that, customization could be better - not because it | doesn't support it but because many of the SPI's are poorly | documented at best, or totally undocumented at worst. You'll | need to read the code and understand Java EE to do anything | not supported out of the box, which, to be fair is a lot - | but I'm having to spend far more time looking through code | than I'd like to add a Steam login for PCGamingWiki, as an | example. Thankfully I've dabbled with Java EE before so it's | no big deal to me, but something to consider if you wanna do | something simple like add extra profile fields. | bebop wrote: | I would agree that a pain point is the lack of | documentation, examples, and googleability of the SPI's. I | have spent much longer than I would have expected | integrating an existing user database. | snuxoll wrote: | Upstream of Red Hat SSO, Red Hat IdM is the commercial product | based on FreeIPA. | realdavidops wrote: | Oof! Good catch! Yes Red Hat SSO | B3NE wrote: | Did you build any custom extensions for Keycloak by | implementing Keycloak's Service Provider Interfaces? If you are | running any custom extensions, what features did you have to | add? | ceeker wrote: | Can someone confirm if this can be used in a multi-tenant saas | app environment? | | Customers want to have their own SSO setup or user roles and | instead of providing all those functionalities in the app, can we | use Keycloak in front and the Customer can manage their own | users/permissions via Keycloak? | | So in essence: | | Customer A: Have 5 users (login / password), 1 admin and 4 | regular users -- admin can add or remove users | | Customer B: Have an LDAP and would like to authenticate using it | snuxoll wrote: | Absolutely. You can setup multiple realms in Keycloak to | isolate tenants from each other, and beyond the built in admin | UI you can access all of the configuration over a REST API to | build you own admin tools if needed. | mjochim wrote: | This should be possible, since everything you mention are | realm-specific settings (i.e. you create one realm per | customer), including that a user can be admin in one realm | only. | | I'm saying "should be" because personally, I have only used | single-realm setups in production so far. | | Must say I'm a big fan of Keycloak. | jgrodziski wrote: | Keycloak is a great piece of engineering. It's a robust IAM, | fully-featured, easy to deploy and integrate with. My opinion is | that people should rely on battle-tested 3rd party solution like | Keycloak for their authentication and authorization needs. | | We run it in production on GCP and it integrates nicely with the | Clojure ecosystem (both on the frontend with a SPA and on the | backend dealing with REST API security). | | Shameless plug: I maintain the keycloak-clojure wrapper: | https://github.com/jgrodziski/keycloak-clojure (You'll find some | explanations of the Keycloak concepts in the README). | mooreds wrote: | I found this list of open source SSO providers to be useful in | learning about CIAM options: | https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8... | | I'd also love to hear any experiences comparing KeyCloak with | commercial providers (Okta, Auth0, FusionAuth). | lostsoul8282 wrote: | My company has been using this and it's not only really easy to | integrate but we have found it very stable. No issues and really | helped us get to market quickly. | scrollaway wrote: | We've started using Keycloak as a SSO solution for archlinux.org. | if you're interested in helping out with Keycloak on an open | source project, send me an email! | blain_the_train wrote: | Does anyone know if the export functionality works between | versions? I'm guessing no. | | Thought I would ask sense I'm working on this right now :) | captn3m0 wrote: | Anyone here using Keycloak for a home setup? I've been | considering this v/s https://www.ory.sh/, which is more OIDC | focused and can't decide. | rad_gruchalski wrote: | I've been looking into ory platform recently. It's all still | alpha and beta but pretty impressive. The architecture is much | more microservice oriented. Keycloack is one large monolith but | easy to deploy with Docker. | | Both suffer on the documentation front, especially useful | "cookbook" type of things. Keycloak is impressive, like a lot | of things from Red Hat. But ory is worth keeping an eye on. | Both assume fluent understanding of terminology. | | If you need an integrated identity database out of the box, go | for Keycloak today. Comes with OIDC and SAML, both work great. | Ory Kratos still requires some manual tinkering. | madjam002 wrote: | Yup, it's good, I use it with the recently introduced WebAuthN | support although it would be nice if it supported | passwordless/usernameless login with resident keys | barryrandall wrote: | I've been tempted, but it doesn't support multilateral SAML | federation, which is almost mandatory for higher education, | which is 100% of my customer base. | | But it's definitely easier to live with than Active Directory | or SecureAuth. | cpitman wrote: | I've run keycloak securing internet facing apps with ~1000 users | for years. It's so stable, I usually forget it's even there. ___________________________________________________________________ (page generated 2020-04-14 23:00 UTC)