
Keycloak: Open-source identity and access management - fanf2
https://www.keycloak.org/
======
jgrodziski
Keycloak is a great piece of engineering. It's a robust IAM, fully-featured,
easy to deploy and integrate with. My opinion is that people should rely on
battle-tested 3rd party solution like Keycloak for their authentication and
authorization needs.

We run it in production on GCP and it integrates nicely with the Clojure
ecosystem (both on the frontend with a SPA and on the backend dealing with
REST API security).

Shameless plug: I maintain the keycloak-clojure wrapper:
[https://github.com/jgrodziski/keycloak-
clojure](https://github.com/jgrodziski/keycloak-clojure) (You'll find some
explanations of the Keycloak concepts in the README).

~~~
jwr
Good to hear that a Clojure wrapper is there. I've been thinking about
Keycloak, but I was worried that the login or credentials management UI would
be outside of my app (and different). But perhaps there is a way to integrate
with it while keeping the UI in-app?

~~~
jgrodziski
You can theme the Keycloak UI to be similar to your app's one, particularly
the login/registration screens so the user experience is very smooth. But you
can also define the user/account UI and logic in your app and just delegate
the authn and authz data through the Keycloak APIs.

~~~
jwr
The second option seems interesting! Theming wouldn't help, my app is waaaay
different from an old-style themed template (server-side rendering, client-
side ClojureScript, websockets, etc).

I will definitely take a look, then.

~~~
jgrodziski
I have the same setup (re-frame SPA, websocket, etc.), the only page that is
themed with Keycloak is the login and password change page, everything else is
handled by API calls.

I prefer to deal with account data and logic in a dedicated component that map
with users stored in Keycloak. Even if you can associate custom attributes
with user and groups, I don't think it's a good idea to do so (performance,
separation of concerns, etc.).

For me Keycloak jobs is to handle authentication and authorization data and/or
logic (authorization service is very well designed but a little bit complex),
for simple use-case a role check in the application is enough.

------
cdbattags
We use this at my company (Amplify) as a single "realm" configuration with
Google and and a few other identity providers for "login with X". There's also
some fun token exchange possible for any openid connect provider.

This means that I can swap Google access tokens for other access tokens and
vice versa.

I'm also a contributor to the "frontend" piece of keycloak that's a JavaScript
library called keycloak-connect (these are known as adapters).

Also also, I'm a maintainer of [https://github.com/cdbattags/lua-resty-
jwt](https://github.com/cdbattags/lua-resty-jwt) that I'm using in tandem with
the Keycloak RSA public keys for auth at API gateway/network level.

Ask me anything!

~~~
realdavidops
The best part is when you start chaining Keycloak instances together. We've
had a couple cases where customers have wanted their own identity management,
so we use an instance of Keycloak to connect to our central keycloak instances
and to their solution of choice (Google, AzureAD, etc), and allows everyone to
use their preferred identity platform.

~~~
pm90
I’m a bit confused...are you federating user management of those customers to
their IDP? Or running separate keycloack instances for each of them? Or
something else?

~~~
411111111111111
they could also just let them run their own keycloak instance and use that as
the provider for the realm so customers can more easily debug it themselves.

it doesnt need much maintenance, so it doesnt really get easier than that.

------
edejong
After Okta rudely told us, a paying customer, to pay extra or leave, we
decided to survey alternatives. Four years ago, we found Keycloak and never
looked back. It’s stable, customizable, well engineered and relatively easy to
work with.

------
realdavidops
We've been using Keylocak in production as a multi-tenant SSO solution for our
service delivery. We've been incredibly impressed with the stability and
performance and found it extremely effective.

Keycloak is the upstream project of Red Hat SSO (edit: correct name, thanks
snuxoll.)

Running in Kubernetes with RDS Postgres in AWS.

~~~
closeparen
I've only played with it, but was kind of put off by how much of the 2FA
credential management is only available to admins. It's not like Duo where you
can update your own enrolled phones, U2F devices, and defaults. End users
would have to ask admins to do all that for them.

~~~
realdavidops
Hmm. I'm not sure what you mean. Users by default can use the console to
update their 2FA credentials. The only time I have to intervene is when they
lose their 2FA as it doesn't really do backup codes. We do require 2FA as a
part of our login flows so this is something we're using heavily.

~~~
closeparen
It may be better for TOTP; I was looking at U2F and WebAuthn.

~~~
tialaramex
What would admin enrollment even look like for WebAuthn? Do I need to FedEx my
FIDO security keys to the company IT security department?

I can't imagine any scenario in which you have FIDO keys _and_ admin
enrollment _and_ security but I'm prepared to be enlightened.

~~~
closeparen
You can assign the user a temporary password so that they get prompted to
enroll their credential on first login. But:

a) Because the password is assigned first, it has higher priority, so
subsequent logins will prompt for password first until the admin manually
changes the user's credential ordering to put the WebAuthn (passwordless)
token higher. The user's credential priority overrides the order of challenges
in the login flow.

b) There is no option to add or replace one of these credentials, or manage
credential ordering yourself, in the end-user webapp that does profile editing
/ password updates.

An admin may be able to reset your account so that you get the first-login
experience again and can enroll new credentials.

~~~
tialaramex
Blergh. I guess _maybe_ this can be both safe and effective while just being
really inconvenient, but my instinct is that on the whole it's just going to
be inconvenient without being safe or effective.

Nobody should have designed something like this, for WebAuthn in particular
the standard is explicit about the desire for multiple tokens. Lots of the
design is more complicated so as to support that capability.

------
scrollaway
We've started using Keycloak as a SSO solution for archlinux.org. if you're
interested in helping out with Keycloak on an open source project, send me an
email!

~~~
snuxoll
What help are you specifically needing?

------
ccouzens
I have created OpenAPI (Swagger) schemas for Keycloak's admin rest API.

[https://github.com/ccouzens/keycloak-
openapi/tree/master/key...](https://github.com/ccouzens/keycloak-
openapi/tree/master/keycloak)

Hopefully these are useful to other people.

See the parent directory for the tooling I wrote to generate them from
Keycloak's HTML documentation.

~~~
hashhar
You might want to upstream these. I'm sure people will find this useful.

------
twp
+1 for Keycloak. It's stable and it works.

I wrote a decent Go client library here: [https://github.com/airmap/go-
keycloak](https://github.com/airmap/go-keycloak)

------
xupybd
I've been meaning to play with this for a while. I'm planning on evaluating
how well it works as an authentication layer for Hasura. Hasura looks really
nice but would be no good to me without an authentication layer. I found this
connector as a stat point [https://github.com/httpsOmkar/keycloak-hasura-
connector](https://github.com/httpsOmkar/keycloak-hasura-connector)

~~~
ignoramous
[https://userbase.com](https://userbase.com) is a _serverless_ identity and
access management platform that might tie-in well with hasura. One of the
caveats is the _forgot password_ feature is tricky:
[https://userbase.com/docs/faq/](https://userbase.com/docs/faq/)

~~~
xupybd
Thanks, that does look really good. I'll look into it. I've also been looking
at [https://fusionauth.io/](https://fusionauth.io/).

It's not easy to weigh up all the options. A simple script to generate JWT
tokens might even be an option.

------
captn3m0
Anyone here using Keycloak for a home setup? I've been considering this v/s
[https://www.ory.sh/](https://www.ory.sh/), which is more OIDC focused and
can't decide.

~~~
rad_gruchalski
I’ve been looking into ory platform recently. It’s all still alpha and beta
but pretty impressive. The architecture is much more microservice oriented.
Keycloack is one large monolith but easy to deploy with Docker.

Both suffer on the documentation front, especially useful “cookbook” type of
things. Keycloak is impressive, like a lot of things from Red Hat. But ory is
worth keeping an eye on. Both assume fluent understanding of terminology.

If you need an integrated identity database out of the box, go for Keycloak
today. Comes with OIDC and SAML, both work great. Ory Kratos still requires
some manual tinkering.

------
mooreds
I found this list of open source SSO providers to be useful in learning about
CIAM options:
[https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8...](https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd)

I'd also love to hear any experiences comparing KeyCloak with commercial
providers (Okta, Auth0, FusionAuth).

~~~
thinkharderdev
We looked at Okta, Auth0 and Cognito when shopping for an identity/auth
solution. If you have pretty vanilla requirements then a SaaS solution will
probably be easier. Keycloak is not the easiest thing in the world to deploy
(although it's pretty straightforward to deploy on k8s using
[https://github.com/codecentric/helm-
charts/tree/master/chart...](https://github.com/codecentric/helm-
charts/tree/master/charts/keycloak)).

If you need a lot of customizations then Keycloak is great since it has a
really robust architecture for writing extensions. It's also pretty cheap to
run so if cost is a major consideration it's definitely worth a look.

~~~
jokull
Since you looked at Okta, Auth0 and Cognita ... which one did you pick?

~~~
thinkharderdev
We went with Keycloak. Both for cost and for extensibility. More than happy
with our choice

------
ceeker
Can someone confirm if this can be used in a multi-tenant saas app
environment?

Customers want to have their own SSO setup or user roles and instead of
providing all those functionalities in the app, can we use Keycloak in front
and the Customer can manage their own users/permissions via Keycloak?

So in essence:

Customer A: Have 5 users (login / password), 1 admin and 4 regular users --
admin can add or remove users

Customer B: Have an LDAP and would like to authenticate using it

~~~
theomega
I was a heavy user of Keycloak until a year ago and I can only recommend your
setup if you are sure that the amount of realms is not growing. Every
additional realm uses huge amount of memory in Keycloak. From how I understood
the architecture, a lot of components (if not all of them) are initialized per
realm.

We had huge problems modeling multi-tenancy through reals in Keycloak.

Take everything I'm saying with a grain of salt. But, if you are planning to
have a lot of customers and realms, do a benchmark by creating a lot of realms
and checking if you can use all of them in parallel. YMMV.

------
cpitman
I've run keycloak securing internet facing apps with ~1000 users for years.
It's so stable, I usually forget it's even there.

------
TedLePoireau
I love keycloak but I was always disappointed it cannot be used as an LDAP
server. As many open source products and SaaS support LDAP as
authentication/authorization, it would have been perfecy for an internal SSO.
Instead of keycloak, I had to rely on GSuite Identity Premium: hood product
but gets expensive quickly...

~~~
snuxoll
Setting up OpenLDAP or 389ds and integrating Keycloak with it is hardly rocket
science - no need to reinvent the wheel.

~~~
vetinari
Setting it up with FreeIPA (which contains 389ds) is a matter of filling up a
single form in Keycloak admin.

That includes SPNEGO (passwordless auth in browser) for those, who are
enrolled into domain or have Kerberos tickets.

~~~
kiney
FreeIPA has it's own set of problems. One being basically unrunnable in
containers because of weird systemd stuff

~~~
vetinari
FreeIPA is not supported in containers, because it is integration of a bunch
of services that need to be on the same machine and each of them has its own
idea where to keep state.

It has nothing to do with systemd, despite what systemd-phobes think.

~~~
doublerabbit
And is somewhat broken and bodged with FreeBSD.

------
ackerleytng
Big fan of keycloak (and gatekeeper!) and looking into this issue now: I have
an app (foo) which the user calls through a web frontend. Foo then has to call
bar, massage bar's response, then return that to the user. How should I manage
tokens that way? So far I have 2 ideas

(1) Have foo request expanded scope for tokens, including scope for bar. Use
that same access token to access bar. For this, I'm concerned that if foo
needs to use the access token for a longer time and it expires, then should
foo do the refreshing independently of gatekeeper? Is there a way to update
gatekeeper with a new token?

(2) Have some way of exchanging the user's token for foo, with a user's token
for bar. Can keycloak do this? Can I still use gatekeeper for this?

~~~
snuxoll
Is your web-frontend talking directly to an API? Is there a server-side
session, or is it stateless?

These are the questions you need to answer before the way to handle anything
can be answered. Ultimately, whoever has the session is responsible for
renewing the access token - if you're talking to a stateless service that
would be the users browser, if you have a server-side session for the app then
it would be the server itself.

As far as the access is concerned, avoid token exchange. If foo will always
need to talk to bar, then have it request that scope and include it in the
tokens.

------
cybrix12
What would be the suggested way to automate resources creation?

I use various home made Ansible roles and I find the Keycloak API to be
inconsistent.

Eg: Various GET methods that doesn't return complete payload and some
endpoints that doesn't save on POST but they do when updating.

That said, it's very hard to keep an idempotency with the actual state of the
API.

I haven't yet tested the keycloak-operator [1].

[1]: [https://github.com/keycloak/keycloak-
operator](https://github.com/keycloak/keycloak-operator)

~~~
markbaikal
We used the ansible module at work but we had to fork it internally and extend
it heavily. I would suggest you try [https://github.com/mrparkers/terraform-
provider-keycloak](https://github.com/mrparkers/terraform-provider-keycloak)
instead, because terraform cleans up after itself (it deletes resources that
you deleted from code, rather than leaving them behind) and terraform is also
much faster, because it auto-parallelizes according to the dependency graph.
The terraform provider also seems much better maintained than the ansible
module.

And yes, the keycloak api is inconsistent.

~~~
cybrix12
Thank you very much. I shared it with the team for a lookup.

------
lostsoul8282
My company has been using this and it's not only really easy to integrate but
we have found it very stable. No issues and really helped us get to market
quickly.

------
darioghilardi
I share the same positive experience I read in this thread about Keycloak.
Over the years it saved me a huge amount of time that I would have otherwise
spent reinventing the wheel. Many thanks to the development team for building
such awesome software.

One feature that stands out is for me the social login integration: a few
clicks and they just work. Between the downsides, I have to mention the fact
that since it's an external tool you need to take care of monitoring, uptimes
and upgrades separately from your application.

Recently I started a little side project to create some themes for Keycloak,
the original look and feel is very "enterprise" and I thought about creating
more modern alternatives that you can install and customize in minutes. I
don't know if it's interesting for someone, but in case you are interested you
can follow the progress at
[https://keycloakthemes.com](https://keycloakthemes.com) and maybe subscribe
to the newsletter to be notified when I release the first theme.

------
segmondy
A happy keycloak user here! Okta wants us to pay per user! Ha, if you're a
small outfit with a few hundred users sure, but if you have hundred thousands
or millions of users. Nope! We went with keycloak and loving it! We run it in
multiple docker containers for resiliency on AWS. Postgres DB on RDS.
Bulletproof, zero downtime.

------
lukevp
Fusionauth was pretty easy to set up self hosted in a container. Is keycloak
better or equivalent if all I want is Multitenant JWTs issued (multiple
apps/themes in one instance) and an email confirm / password reset workflow
for users? Disclaimer: I’ve contributed to the fusionauth .net core library

------
mathieupassenau
Damn ! Keycloak on HN homepage ! We use it in production for years. Such a
great tool, we deployed a "as a service" version, with a free offer =>
[https://please-open.it](https://please-open.it)

------
api
We use this at my.zerotier.com and it works quite well, though it can be a
little heavy.

------
SeriousM
For the dotnet world you can use and extend
[https://identityserver4.readthedocs.io/en/latest/](https://identityserver4.readthedocs.io/en/latest/)

~~~
snuxoll
IdentityServer is a framework to roll your own IdP, it’s not fully functional
out of the box like Keycloak.

~~~
mulcahey
It can be easier to extend & customize[0] though.

I went with IdentityServer4 on a recent project over Keycloak and Gluu[1] for
that reason and because it was in the same stack as the rest of our ecosystem.

[0] See comment from this thread
[https://news.ycombinator.com/item?id=22871756](https://news.ycombinator.com/item?id=22871756)

[1] [https://www.gluu.org/](https://www.gluu.org/)

~~~
snuxoll
I wrote the comment you cited :)

IdentityServer certainly has better documentation for its extension points at
the moment, but the tradeoff is you have to build _everything_ yourself.
Keycloak comes with a built in admin UI, account management UI, TOTP and
WebAuthN support, the list goes on. You have to go out of your way to build
these or search for a mismash of plugins for IdenityServer to get everything
Keycloak provides out of the box.

And while the extension points of Keycloak aren't super well documented,
literally all of them are in a dedicated Maven module [0] making it easy to
just browse the code.

[0]: [https://github.com/keycloak/keycloak/tree/master/server-
spi/...](https://github.com/keycloak/keycloak/tree/master/server-
spi/src/main/java/org/keycloak)

------
pharaohgeek
HUGE fan of Keycloak! It's an outstanding IAM platform. AuthN/AuthZ? Great!
SAML? OIDC? Awesome! Token translation??? (SAML->JWT) Incredible! It's really
a delight to work with. If I had _one_ item on my wishlist it would be support
for non-SQL datastores. It hums along on our PostgreSQL instance with no
problem. We'd love to be able to easily geolocate it as part of our AWS
infrastructure using global DynamoDB tables for data storage. That would
greatly improve the login experience for our users as they are located all
over the world.

~~~
snuxoll
Identity solutions cannot tolerate eventual consistency, if a user changes
their password it MUST be replicated everywhere immediately, if an offline
token is revoked it MUST stop working everywhere. DynamoDB is not an
appropriate tool for the job here.

That said, Keycloak supports Galera clustering and the Infinispan cache can be
configured to work in a multi-DC environment - so there's nothing stopping you
from Geo-replicating the setup.

------
gopaz
Can someone recommend a product (open source) that supports: * ldap * multiple
password hashes per person, or some other way to keep different hash-functions
of the password ( ldap supports this) * saml/shibboleth or openid connect
(preferably both) * export all users and password hashes (I guess ldap
supports this natively)

Want to replace a legacy openldap installation with something more modern and
future proof, but need to keep supporting a couple of old systems that won't
go away for a long time.

~~~
jeroenhd
I've been considering setting up a Gluu [1] instance for some of my services.
It supposedly supports LDAP as well as OpenID and Oauth2 for authentication as
well as RADIUS. From what I can tell, this would fit your use case perfectly
fine. It's available as open source software but the company behind it is
selling it as well in case you'd like a support contract.

Note that I haven't set it up myself yet, it's still on my ever-growing list
of "tools I have to take a good look at sometime in the future". It does seem
like a very good piece of software though.

[1] [https://www.gluu.org/](https://www.gluu.org/)

~~~
SEJeff
Just want to say that I've met the lead developer of Gluu randomly at a gitlab
hackathon / party in portland. It seems like they've got a really nice product
and he was extremely knowledgeable along with very likable.

I've never used it, but if I needed to do something like the GP asked, I'd
definitely give it a look.

------
elevation
This post [0] persuaded me that I need multiple SAML IDP signing keys to
prevent badly behaved third party apps from accepting every user
authentication as an authorization. Keycloak supports this configuration, but
can anyone comment on how reasonable this is from an ops standpoint? Is it
difficult to configure this way? Is it harder to back up?

[0]
[https://news.ycombinator.com/item?id=22739626](https://news.ycombinator.com/item?id=22739626)

------
mnming
I might be late to this thread. sad :(

I was looking into Keycloak last year but eventually gave up because I can't
find a friendly/robust enough solution to use source code to manage Keycloak
config.

I am curious how do you guys manage staging/production Keycloak instances? Do
you just manually trying to keep it the same?

Another question is: Does any company actually use the authorization part of
Keycloak? How's the experience?

------
joe200
Can keycloak let me integrate different k8s clusters running in
Azure/Google/AWS with i.e.: Azure AD ? All our users have accounts in Azure AD
but we would like to let them use k8s clusters running in different cloud
providers without maintaining user accounts there. Is it possible with
keycloak ?

~~~
snuxoll
> Can keycloak let me integrate different k8s clusters running in
> Azure/Google/AWS with i.e.: Azure AD ? All our users have accounts in Azure
> AD but we would like to let them use k8s clusters running in different cloud
> providers without maintaining user accounts there. Is it possible with
> keycloak ?

No real need for Keycloak here, AKS uses Azure AD natively, GCP and AWS can be
configured to use SAML straight from Azure AD to handle authentication.

You could use Keycloak though.

------
AnonC
I haven’t looked at this in years (after it was taken over by RedHat). Can
someone comment on using Keycloak within a .NET application (which would be a
service provider) for SSO with SAML? Does it have easy to use libraries that
make application development easier to work with a configured IdP?

------
zubairq
Key cloak is pretty awesome. So far it is the only authentication mechanism
that we have provided for our open source Dev tool at
[https://github.com/zubairq/pilot](https://github.com/zubairq/pilot)

------
aqiank
Does anyone here have experience of miniOrange? What do you think of Keycloak
compared to miniOrange? I see it in many places such as JIRA marketplace,
WordPress plugins and they always have 5-star ratings. They have their own IdP
server too.

------
nickik
How is their support for WebAuthn/FIDO 2 by now? Anybody know?

~~~
jsiepkes
They have recently implemented it: [https://github.com/keycloak/keycloak-
documentation/blob/mast...](https://github.com/keycloak/keycloak-
documentation/blob/master/server_admin/topics/authentication/webauthn.adoc)

------
hashhar
It seems like a lot of people have seen the light now and are evaluating
Keycloak even though it has been around for so long.

did something happen recently that I'm missing out on?

~~~
Bombthecat
Microservices and api management gets more popular. (and the need for
jwt/oauth) since redhat is generally trusted. It is basically the only option
if you want to use it.

~~~
hashhar
Hmmm, I thought something happened recently or it's just confirmation bias
from my end cause I've been seeing a little too much lately.

RedHat has some nice software designers - design for extensibility is visible
in every product they create. And adhering to standards like the Java EE web
framework instead of going the NIH style of Spring. After 2 or 3 major
releases the Spring APIs start showing signs of leaky abstractions or outright
confusing mess.

------
blain_the_train
Does anyone know if the export functionality works between versions? I'm
guessing no.

Thought I would ask sense I'm working on this right now :)

------
drchaim
It it easy to save along the user information like companies, contracts and so
on?

~~~
snuxoll
Simple attributes can be added easily (it's as simple as adding form fields
with an id of `user.attribute.company`), but anything requiring access
restrictions (only an admin can update, for example) will require custom
development.

The Profile SPI in the works hopes to make this much easier, you can track the
progress on that on the JBoss JIRA tracker [0].

[0]:
[https://issues.redhat.com/browse/KEYCLOAK-2966](https://issues.redhat.com/browse/KEYCLOAK-2966)

------
deathtrader666
Could someone please ELI-5 what Keycloak is, and how it fits in a SaaS app?

~~~
tofflos
Keycloak is an authentication portal that sits in front of other applications
thereby freeing those applications from the burden of implementing login forms
and secure password storage.

~~~
devnullbyte
"that sits in front of " does that denote that miminal refactor / re-
architecture is needed for a rest based application, trying to get an idea of
how easy it is to start using keycloak?

~~~
Robinyo
Some Keycloak-related tutorial style posts:

* Getting started with Keycloak: [https://robferguson.org/blog/2019/12/24/getting-started-with...](https://robferguson.org/blog/2019/12/24/getting-started-with-keycloak/)

* Angular, OpenID Connect and Keycloak: [https://robferguson.org/blog/2019/12/29/angular-openid-conne...](https://robferguson.org/blog/2019/12/29/angular-openid-connect-keycloak/)

* Angular, OAuth 2.0 and Keycloak: [https://robferguson.org/blog/2019/12/31/angular-oauth2-keycl...](https://robferguson.org/blog/2019/12/31/angular-oauth2-keycloak/)

* Keycloak, Flowable and OpenLDAP: [https://robferguson.org/blog/2020/01/03/keycloak-flowable-an...](https://robferguson.org/blog/2020/01/03/keycloak-flowable-and-openldap/)

* Keycloak Themes - Part 1: [https://robferguson.org/blog/2020/04/12/keycloak-themes-part...](https://robferguson.org/blog/2020/04/12/keycloak-themes-part-1/)

------
devdavid
This is some well crafted software indeed, and extendable.

Java EE

------
chirau
How does this compare to Hydra?

~~~
KitDuncan
Keycloak is basically the entire Ory ecosystem rolled into one big software,
along with a management interface and login.

Ory Hydra only deploys a openid connect provider on top of whatever
authentication you want to use. Ory Krato is their new auth system, but still
in very early stages.

~~~
chirau
Ah thank you for the well explained response. So does Keycloak have any tools
to build an identity provider?

