Keycloak is a great piece of engineering. It's a robust IAM, fully-featured, easy to deploy and integrate with. My opinion is that people should rely on battle-tested 3rd party solution like Keycloak for their authentication and authorization needs.
We run it in production on GCP and it integrates nicely with the Clojure ecosystem (both on the frontend with a SPA and on the backend dealing with REST API security).
Good to hear that a Clojure wrapper is there. I've been thinking about Keycloak, but I was worried that the login or credentials management UI would be outside of my app (and different). But perhaps there is a way to integrate with it while keeping the UI in-app?
You can theme the Keycloak UI to be similar to your app's one, particularly the login/registration screens so the user experience is very smooth.
But you can also define the user/account UI and logic in your app and just delegate the authn and authz data through the Keycloak APIs.
The second option seems interesting! Theming wouldn't help, my app is waaaay different from an old-style themed template (server-side rendering, client-side ClojureScript, websockets, etc).
I have the same setup (re-frame SPA, websocket, etc.), the only page that is themed with Keycloak is the login and password change page, everything else is handled by API calls.
I prefer to deal with account data and logic in a dedicated component that map with users stored in Keycloak. Even if you can associate custom attributes with user and groups, I don't think it's a good idea to do so (performance, separation of concerns, etc.).
For me Keycloak jobs is to handle authentication and authorization data and/or logic (authorization service is very well designed but a little bit complex), for simple use-case a role check in the application is enough.
> The second option seems interesting! Theming wouldn't help, my app is waaaay different from an old-style themed template (server-side rendering, client-side ClojureScript, websockets, etc).
Well, since we are talking SAML or OIDC here - you don't really have a choice for the login/registration. The IdP provides the login and registration pages, not your application. You are free to build your own account management page, but you still have to ask Keycloak for a token.
Feel free to ask me anything about Keycloak in the Clojure ecosystem.
The README of keycloak-clojure needs some lifting but hopefully you'll find everything you need.
We run it in production on GCP and it integrates nicely with the Clojure ecosystem (both on the frontend with a SPA and on the backend dealing with REST API security).
Shameless plug: I maintain the keycloak-clojure wrapper: https://github.com/jgrodziski/keycloak-clojure (You'll find some explanations of the Keycloak concepts in the README).