This document is a summary of the key features of Keycloak which is an open-source Identity and Access Management (IAM) software. Organizations use it when they want a reliable solution without reinventing some of the core modules of an IAM. It is open source and works well with major public cloud providers. It supports both OAuth2 as well as Open ID Connect (OIDC) where the former is used to provide authentication and authorization while that latter provides identity on top of that.
The resources of the Keycloak can be described as users, clients, roles, groups, events and identity providers. The last item in this category can work with social media, security application markup language and OpenID connect which are separate protocols for finding identity in an external identity provider. A module known as the user federation module allows integration with an organization’s default identity provider using protocols such as Lightweight directory access protocol and Kerberos.
Keycloak can work well with all kinds of application – mobile, frontend, backend using what is called a keycloak adapter. The adapter ties all this applications to the default client on the realm which looks up the identity and authenticates and authorizes the user. There is usually one adapter for a set of backend services but there can be many for load balancing with a given client. Sessions can be replicated across adapters. Keycloak is stateless and this paradigm is suitable for containers.
The stateless architecture implies that the token requested by a Keycloak adapter will be validated in each of the pods hosting the backend services. There can be many pods with the same service but each will perform the token validation by checking the header, payload and signature that is typical of Json web token. This token is refreshed for use when it expires where the old one is discarded in favor of a new one.
Keycloak is usually a standalone server distribution. It is designed as a single product that can be quickly setup and configured. It supports Docker registry, OpenJDK and spring-boot to name some of the popular developer tools. Keycloak is hardened with IP restriction / port restriction. It mitigates vulnerabilities such as password guesses and brute force attacks. In the event, that an access token or refresh token is compromised, it can apply a revocation policy to all applications. It takes the hostname of the client from the request parameters which is typical for most protocols including S3.
The resources of the Keycloak can be described as users, clients, roles, groups, events and identity providers. The last item in this category can work with social media, security application markup language and OpenID connect which are separate protocols for finding identity in an external identity provider. A module known as the user federation module allows integration with an organization’s default identity provider using protocols such as Lightweight directory access protocol and Kerberos.
Keycloak can work well with all kinds of application – mobile, frontend, backend using what is called a keycloak adapter. The adapter ties all this applications to the default client on the realm which looks up the identity and authenticates and authorizes the user. There is usually one adapter for a set of backend services but there can be many for load balancing with a given client. Sessions can be replicated across adapters. Keycloak is stateless and this paradigm is suitable for containers.
The stateless architecture implies that the token requested by a Keycloak adapter will be validated in each of the pods hosting the backend services. There can be many pods with the same service but each will perform the token validation by checking the header, payload and signature that is typical of Json web token. This token is refreshed for use when it expires where the old one is discarded in favor of a new one.
Keycloak is usually a standalone server distribution. It is designed as a single product that can be quickly setup and configured. It supports Docker registry, OpenJDK and spring-boot to name some of the popular developer tools. Keycloak is hardened with IP restriction / port restriction. It mitigates vulnerabilities such as password guesses and brute force attacks. In the event, that an access token or refresh token is compromised, it can apply a revocation policy to all applications. It takes the hostname of the client from the request parameters which is typical for most protocols including S3.
No comments:
Post a Comment