[HN Gopher] Keycloak: Open-source identity and access management
___________________________________________________________________
Keycloak: Open-source identity and access management
Author : fanf2
Score : 88 points
Date : 2020-04-14 20:43 UTC (2 hours ago)
(HTM) web link (www.keycloak.org)
(TXT) w3m dump (www.keycloak.org)
| SeriousM wrote:
| For the dotnet world you can use and extend
| https://identityserver4.readthedocs.io/en/latest/
| snuxoll wrote:
| IdentityServer is a framework to roll your own IdP, it's not
| fully functional out of the box like Keycloak.
| xupybd wrote:
| I've been meaning to play with this for a while. I'm planning on
| evaluating how well it works as an authentication layer for
| Hasura. Hasura looks really nice but would be no good to me
| without an authentication layer. I found this connector as a stat
| point https://github.com/httpsOmkar/keycloak-hasura-connector
| ignoramous wrote:
| https://userbase.com is a _serverless_ identity and access
| management platform that might tie-in well with hasura. One of
| the caveats is the _forgot password_ feature is tricky:
| https://userbase.com/docs/faq/
| cdbattags wrote:
| We use this at my company (Amplify) as a single "realm"
| configuration with Google and and a few other identity providers
| for "login with X". There's also some fun token exchange possible
| for any openid connect provider.
|
| This means that I can swap Google access tokens for other access
| tokens and vice versa.
|
| I'm also a contributor to the "frontend" piece of keycloak that's
| a JavaScript library called keycloak-connect (these are known as
| adapters).
|
| Also also, I'm a maintainer of https://github.com/cdbattags/lua-
| resty-jwt that I'm using in tandem with the Keycloak RSA public
| keys for auth at API gateway/network level.
|
| Ask me anything!
| realdavidops wrote:
| The best part is when you start chaining Keycloak instances
| together. We've had a couple cases where customers have wanted
| their own identity management, so we use an instance of
| Keycloak to connect to our central keycloak instances and to
| their solution of choice (Google, AzureAD, etc), and allows
| everyone to use their preferred identity platform.
| realdavidops wrote:
| We've been using Keylocak in production as a multi-tenant SSO
| solution for our service delivery. We've been incredibly
| impressed with the stability and performance and found it
| extremely effective.
|
| Keycloak is the upstream project of Red Hat SSO (edit: correct
| name, thanks snuxoll.)
|
| Running in Kubernetes with RDS Postgres in AWS.
| closeparen wrote:
| I've only played with it, but was kind of put off by how much
| of the 2FA credential management is only available to admins.
| It's not like Duo where you can update your own enrolled
| phones, U2F devices, and defaults. End users would have to ask
| admins to do all that for them.
| realdavidops wrote:
| Hmm. I'm not sure what you mean. Users by default can use the
| console to update their 2FA credentials. The only time I have
| to intervene is when they lose their 2FA as it doesn't really
| do backup codes. We do require 2FA as a part of our login
| flows so this is something we're using heavily.
| toomuchtodo wrote:
| Any pitfalls you've encountered when implementing?
| realdavidops wrote:
| The biggest thing we encountered was related actually to our
| initial deployment with active directory. This made logins
| slow, but actually found we could remove the requirement for
| Active Directory.
|
| It is super heavily based on Wildfly, and if you're not using
| a tool like docker, it can be kind-of a burden. It runs
| decently well in standalone mode, but we ended up using the
| docker container's clustering with Kubernetes service
| discovery helping to find the other nodes to achieve a
| clustered deployment.
|
| Outside of that is has been extremely stable, we use
| Kubernetes deployment mechanism along with a correctly
| defined readiness check to allow us to seamlessly upgrade,
| and we've gone from 4.3.0.Final to 7.0.1 in production
| without any problems. We haven't upgraded to 8 or 9 yet as
| we're actually working on some new frontend UI changes we
| wanted to get out the door with the release.
| snuxoll wrote:
| It's highly integrated with Wildfly (or JBoss EAP for the
| commercial product), so if you're not deploying it with the
| Docker images expect to have _fun_ dealing with the special
| hell that is Java application servers - setting up infispan
| and configuring the database in JNDI at a minimum will
| require some moderate reading.
|
| If you do use the Docker images it's pretty straightforward
| though.
|
| Past that, customization could be better - not because it
| doesn't support it but because many of the SPI's are poorly
| documented at best, or totally undocumented at worst. You'll
| need to read the code and understand Java EE to do anything
| not supported out of the box, which, to be fair is a lot -
| but I'm having to spend far more time looking through code
| than I'd like to add a Steam login for PCGamingWiki, as an
| example. Thankfully I've dabbled with Java EE before so it's
| no big deal to me, but something to consider if you wanna do
| something simple like add extra profile fields.
| bebop wrote:
| I would agree that a pain point is the lack of
| documentation, examples, and googleability of the SPI's. I
| have spent much longer than I would have expected
| integrating an existing user database.
| snuxoll wrote:
| Upstream of Red Hat SSO, Red Hat IdM is the commercial product
| based on FreeIPA.
| realdavidops wrote:
| Oof! Good catch! Yes Red Hat SSO
| B3NE wrote:
| Did you build any custom extensions for Keycloak by
| implementing Keycloak's Service Provider Interfaces? If you are
| running any custom extensions, what features did you have to
| add?
| ceeker wrote:
| Can someone confirm if this can be used in a multi-tenant saas
| app environment?
|
| Customers want to have their own SSO setup or user roles and
| instead of providing all those functionalities in the app, can we
| use Keycloak in front and the Customer can manage their own
| users/permissions via Keycloak?
|
| So in essence:
|
| Customer A: Have 5 users (login / password), 1 admin and 4
| regular users -- admin can add or remove users
|
| Customer B: Have an LDAP and would like to authenticate using it
| snuxoll wrote:
| Absolutely. You can setup multiple realms in Keycloak to
| isolate tenants from each other, and beyond the built in admin
| UI you can access all of the configuration over a REST API to
| build you own admin tools if needed.
| mjochim wrote:
| This should be possible, since everything you mention are
| realm-specific settings (i.e. you create one realm per
| customer), including that a user can be admin in one realm
| only.
|
| I'm saying "should be" because personally, I have only used
| single-realm setups in production so far.
|
| Must say I'm a big fan of Keycloak.
| jgrodziski wrote:
| Keycloak is a great piece of engineering. It's a robust IAM,
| fully-featured, easy to deploy and integrate with. My opinion is
| that people should rely on battle-tested 3rd party solution like
| Keycloak for their authentication and authorization needs.
|
| We run it in production on GCP and it integrates nicely with the
| Clojure ecosystem (both on the frontend with a SPA and on the
| backend dealing with REST API security).
|
| Shameless plug: I maintain the keycloak-clojure wrapper:
| https://github.com/jgrodziski/keycloak-clojure (You'll find some
| explanations of the Keycloak concepts in the README).
| mooreds wrote:
| I found this list of open source SSO providers to be useful in
| learning about CIAM options:
| https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8...
|
| I'd also love to hear any experiences comparing KeyCloak with
| commercial providers (Okta, Auth0, FusionAuth).
| lostsoul8282 wrote:
| My company has been using this and it's not only really easy to
| integrate but we have found it very stable. No issues and really
| helped us get to market quickly.
| scrollaway wrote:
| We've started using Keycloak as a SSO solution for archlinux.org.
| if you're interested in helping out with Keycloak on an open
| source project, send me an email!
| blain_the_train wrote:
| Does anyone know if the export functionality works between
| versions? I'm guessing no.
|
| Thought I would ask sense I'm working on this right now :)
| captn3m0 wrote:
| Anyone here using Keycloak for a home setup? I've been
| considering this v/s https://www.ory.sh/, which is more OIDC
| focused and can't decide.
| rad_gruchalski wrote:
| I've been looking into ory platform recently. It's all still
| alpha and beta but pretty impressive. The architecture is much
| more microservice oriented. Keycloack is one large monolith but
| easy to deploy with Docker.
|
| Both suffer on the documentation front, especially useful
| "cookbook" type of things. Keycloak is impressive, like a lot
| of things from Red Hat. But ory is worth keeping an eye on.
| Both assume fluent understanding of terminology.
|
| If you need an integrated identity database out of the box, go
| for Keycloak today. Comes with OIDC and SAML, both work great.
| Ory Kratos still requires some manual tinkering.
| madjam002 wrote:
| Yup, it's good, I use it with the recently introduced WebAuthN
| support although it would be nice if it supported
| passwordless/usernameless login with resident keys
| barryrandall wrote:
| I've been tempted, but it doesn't support multilateral SAML
| federation, which is almost mandatory for higher education,
| which is 100% of my customer base.
|
| But it's definitely easier to live with than Active Directory
| or SecureAuth.
| cpitman wrote:
| I've run keycloak securing internet facing apps with ~1000 users
| for years. It's so stable, I usually forget it's even there.
___________________________________________________________________
(page generated 2020-04-14 23:00 UTC)