Keycloak: one password above all

Anyone who has had any involvement in IT security knows that users are probably the biggest risk factors. Whether it’s opening emails from unknown senders, downloading suspicious attachments, clicking on unverified links, or even sharing passwords with others, irresponsible, not sufficiently security-conscious behavior can cause enormous damage to any organization.

keycloak

Of course, we can try to limit users with restrictions and rules, but experience has shown that the more you hinder comfortable working methods with security measures, the more likely users are to try to avoid them. In other words, security should fit into everyday life as unnoticed as possible – and this requires the secure identification of users and the reassuring handling of access levels.

There are many IAM (Identity and Access Management) tools available on the market for this purpose – both free and paid. Let us now present Keycloak, a tool that DSS uses in several of its solutions – the details pretty much explain why.

Keycloak – where and how does it work?

Keycloak is an open-source tool available through Apache License 2.0, and the lion’s share of the work is done by Red Hat (but of course anyone can contribute), so we can be assured that it doesn’t lack features for enterprise use.

It supports three different protocols: OpenID Connect, OAuth 2.0, and SAML 2.0 – the list of supported platforms depends on which protocol you decide to use.

Keycloak can be used as a standalone IAM tool in which we create the user database ourselves, within which we can freely define roles and groups. It also connects to already existing databases or systems. By default, it supports the two most common versions, LDAP and Active Directory, but you can use the Keycloak User Storage API to create custom extensions for any database. In addition, we can use social network identifiers (with built-in support for Google, Twitter, Facebook and Stack Overflow), but Keycloak can also act as a proxy between our users and an external ID provider. Of course, Keycloak also supports Single Sign-On and Single Sign-Out, as well as two-factor authentication (which is increasingly important).

Keycloak distributions

Currently, Keycloak is available in three main distribution forms.

  • The first is the standalone server: the downloadable file contains all the necessary elements. There are two versions of this distribution: one with WildFly behind it and Quarkus server behind it.
  • Keycloak is available in a containerized form as a docker image for Docker, Podman, Kubernetes and Openshift.
  • For the latter two, it is also available as an operator based on the Operator SDK.

So, everyone can find the distro to their liking – docker image, for example, can serve you well as a development and testing platform. We set up the test Keycloak server, make the changes, test it, and then restart the docker image – the changes will be deleted and we can start the new tests with a clean environment.

Keycloak on the frontend

Keycloak offers many options not only in the background, but also on the frontend. Whether you’re developing software for yourself or for a customer, users will probably appreciate that the pages that appear in front of them are fully customizable. These pages are in .ftl format, so you can use HTML or CSS to make your login pages look appropriate to your app or corporate style. Some JavaScript can also be placed in the page, so the possibilities are really limitless.

So why use Keycloak…

… and why we love it so much that we incorporate it into our Industry 4.0 solutions?

  • First of all, it’s free – tools offering similar functionality are usually paid.
  • It supports three different authentication protocols, so you can use a single device for your applications with different security levels, and you can choose the protocol that best meets your expectations for each application.
  • Since Red Hat is behind it, we can be sure that it is a well-designed and written system, and with community support, we can almost certainly get answers to our questions and find solutions to our problems. (At the same time, let’s not forget that we can’t expect a guaranteed SLA from anyone.)
  • It gives you a lot of freedom to build your own solution, but at the same time it can be easily integrated with existing LDAP or AD-based systems or with social network-based identification.
  • And with its web GUI, configuration changes are a breeze, whether it’s users, roles, or permissions.

All in all, if you still don’t know Keycloak, you should check it out.