I went with using Keycloak for a platform I'm developing right now and it feels like a very overcomplicated enterprise piece of software - it still does work and has the features that I need (notably: an SSO login portal, user registration, password resets and social login), but definitely needed a certain amount of time to configure correctly and had odd bugs, like me needing the following in my reverse proxy configuration:
otherwise connections would randomly drop. I was looking for other ways to make development a bit easier and also settled on mod_auth_openidc, which is an Apache module that lets it act like a Relying Party and handle lots of the heavy lifting (protecting endpoints, refreshing tokens etc.) for me, and lets me work with just a few headers that are passed to the protected resources: https://github.com/OpenIDC/mod_auth_openidc
It works, but I'm still not happy - I realize that there are many types of attacks that have historically been a problem and that certain OpenID Connect flows try to protect against, in addition to the fact that if I wrote my own security code it'd almost certainly be worse and have vulnerabilities (in the words of Eoin Woods: "Never invent security technology"), and it's a good thing to follow standards... but the whole thing is such a pain. Both OpenID Connect, Keycloak and configuring mod_auth_openidc.
Right now I'm moving permissions/roles back into the app DB, because I don't want to have to work with the Keycloak REST API every time I want to change what a user can or cannot do in the system, in addition to permissions which might only apply conditionally (one user might be related to multiple organizations, having different permissions in the context of each).
Regardless, it's nice that there are more pieces of software out there to choose from! Do manage your expectations when working with OpenID Connect, though.
What I've always wanted from a system like this is the ability to send a one-time registration link to someone over e-mail.
That would enable more controlled self registration without fully opening up registration.
I never found anything like this though. If anyone knows something please let me know.
Have you considered/tried Ory Kratos + Hydra [0]? I've never used either Ory or Keycloak, but out of these 2, Keycloak feels more opinionated and harder to set up, though it does have more features.
This is a unique feature of Kratos/Hydra, you can use your own frontend components. With many other implementations this is not possible.
What do you mean by "much more opinionated client", there is a set of standard flows that your app has to handle and thats it for most cases.
If you want out of the box components they also have a paid version for that (and code examples in OSS)
It works, but I'm still not happy - I realize that there are many types of attacks that have historically been a problem and that certain OpenID Connect flows try to protect against, in addition to the fact that if I wrote my own security code it'd almost certainly be worse and have vulnerabilities (in the words of Eoin Woods: "Never invent security technology"), and it's a good thing to follow standards... but the whole thing is such a pain. Both OpenID Connect, Keycloak and configuring mod_auth_openidc.
Right now I'm moving permissions/roles back into the app DB, because I don't want to have to work with the Keycloak REST API every time I want to change what a user can or cannot do in the system, in addition to permissions which might only apply conditionally (one user might be related to multiple organizations, having different permissions in the context of each).
Regardless, it's nice that there are more pieces of software out there to choose from! Do manage your expectations when working with OpenID Connect, though.