Security is a vital part of any complex system architecture and it’s better to do it right. Therefore, we want to introduce you to the Red Hat Keycloak identity management project.
Why Use Identity Management Software
Consequences of having a poorly written authentication module could be drastic and could lead to user account data theft or an attacker gaining access to active user sessions. It is important to use ready made solutions relying on proven communication protocols and cryptography approaches.
If you are using public cloud infrastructure, there are identity provider options such as Azure AD and AWS Cognito at your disposal, which could be integrated directly. However, these solutions are not portable between providers and would not work if you have a data center or multiple sources of keeping your user information. If you are supplying a white label solution, which should run in various flavours of containerisation environments you don’t have the luxury of ready made solutions.
In enterprise in-house environments it is a good idea to use hosted solutions, such as Okta and Auth0. This is a simple and powerful approach. However as with many SaaS solutions there are tradeoffs. The licensing becomes complex if you want to distribute Identity Management modules along with your software as a white-label solution. There are also questions regarding data protection, network access and locality, especially in compliant environments such as financial and government institutions, which make SaaS providers irrelevant in the given project.
If your application is distributed in a white-label model to multiple sites, Keycloak is the essential tool to bundle with your microservices for modern and secure Identity Management functionality.
What is Keycloak?
Keycloak is the upstream open source community project for Red Hat Single Sign-On. It means that this is a free software version of Red Hat commercial product offering, which you should configure and host yourself. Keycloak is distributed based on liberal Apache 2 license, which has no limitations to your usage of this software whatsoever.
Keycloak provides a central point of user authorization management in organization and serves as an access provider in complex microservice environments. Keycloak can unify information from various identity providers such as Active Directory and FreeIPA or various solutions based on industry standard protocols such as SAML, LDAP and OAuth2. Basically you are able to configure login with social networks, such as Facebook and Google, because they all are using some flavour of OAuth2 protocol.
Keycloak itself provides OAuth2 and OpenID Connect protocols to authenticate against as well as traditional authentication flows with password, SMS OTP or X.509 client certificates. It is possible to model authentication flow for every use case and segment your users based on so-called Realms.
By using Keycloak you are getting traditional user management features like:
- password renewal policies;
- password complexity results;
- multi-factor authentication;
- brute force attack protection;
- user impersonation;
and many more.
All of that in one package and a powerful Web-based administration interface. No coding required.
Keycloak Usage Example
The power of Keycloak lies in configurability and extensibility. It has extension mechanisms on all levels, which makes it easy to add, modify or adapt necessary functionality.
Let’s take a look at a fictitious project, which is inspired by several real customer projects we have implemented. We would need to design a customized login theme to hide default pages. Users should be able to login using password, social networks or Baltics most popular eID solution – SmartID. All user data is kept in the Keycloak internal database. SMS with a one-time password is sent to the registered user phone number every time a user wants to authenticate.
System, which access is being protected by Keycloak, consists of Spring Boot Java and NodeJS microservices. Both are able to connect to Identity Management software to validate user access roles and session integrity. Overall system architecture is depicted as follows.
The only bit that requires custom coding, is Smart ID authentication, since it does not operate using known industry protocol standards. Everything else is provided as configuration only. Instead of months of coding and potential security flaws, it is possible to accomplish such a project in just a couple of weeks. This is what we like about Keycloak modularity and power.
Of course, you need to acquaint yourself with the internals of the software and best practices of production deployments.
Keycloak Project Future
In our opinion, the Keycloak project has a bright future and it is far away from being phased out by competition.
- Keycloak is a stable project used in plenty of production environments including banks;
- Keycloak is being actively improved and has frequent releases;
- It is cloud-native friendly with its own operator project to ease rollout on Kubernetes environments;
- Configuration and Extensions mechanism is able to provide solutions for most of the projects;
- Keycloak plans to migrate from WildFly to Quarkus runtime in 2022 to optimize resource consumption and be more fit for public cloud environments.
We have used Keycloak successfully in several projects for our customers and can only recommend it to everyone to solve your Identity Management issues!
What We Do to Help
We, at A-heads Consulting, are experts in Keycloak extension development, installation, configuration, and customization. We have in-depth knowledge of Keycloak internals and functional possibilities. We are able to help you to assess the suitability of your project requirements as well as implement and support end-to-end.
- Keycloak extension development
- Keycloack solution installation
- Keycloack configuration and customization
- Custom software development
Please feel free to contact us!