Introduction to Keycloak
This article was published as a part of the Data Science Blogathon.
In a Technological Era, application security is becoming a much more important concept. In a security principle, we may heard the importance of authorization. Unauthorized access to data can potentially cost a high amount of money. Even rather than money, there is a lot of confidential information are hiding in the background. For this reason, every application needs some reliable system or service to manage the access. In the market, there are many solutions, we can get it free or with the payment. In this article, I am trying to introduce Keycloak. I desire that this article will come up with a higher understating of the fundamentals of keycloak and why it can be useful. Before getting it in the keycloak we need to understand Identity Access Management (IAM).
IAM (Identity Access Management)
How do you access or be active yourself online, It should be sometimes through a working email address, sociallogin, or even via an application. So you have an identity to access to right resources
securely. IAM (Identity Access Management) is a framework used to authenticate the user’s identity and privileges. A service running in a private secure infrastructure to manage the authentication and
authorization of users requesting protected resources. It checks whether the users have access to resources and other required files. IAM systems provide tools and some technologies to the administrators to change a user’s role, keep track of user activities, etc.
In modern applications or projects, we mostly Install an Identity and Access Management solution with a web-based interface. previously the developers needed to develop their own user management infrastructure (login page, log out, password reset, password hashing, social login) for every new application they worked on. However, thanks to frameworks like Keycloak and container-based technologies like docker.
What is Keycloak?
The official website says, “Keycloak is an open-source software product to allow single sign-on with Identity and Access Management aimed at modern applications and services.” Which is distributed an Apache License 2.0 and Jboss community project. The first product was released in 2014.
1. Easily we can add authentication to applications and secure services.
2. Usually in our application we are storing our authentication details in the Databases, But here we don’t need to deal with storing users or authenticating users.
3. Keycloak provides features like strong authentication, federation (To authenticate a user without knowing his/her password can be done by a system using federated identity), user management, fine-grained authorization, etc.
4. We can use Keycloak if need some Identity and User management platform. In the end, we were able to know SSO (Single Sign-On) feature. (Once the user logged in to Keycloak, he doesn’t have to log in again to access another application).
5. It has community support.
Now let’s have some experience with the keycloak terminologies, and have a look at some important features that keycloak offers to us.
Admin console helps to manage all the operations and configurations by the administrators, they can centrally manage all aspects of the Keycloak server. Here we can enable and disable various features, configure identity brokering and user federation, create and manage applications and services, define fine-grained authorization policies, also manage users, including permissions and sessions.
Account Management Console
By using the account management console users can control their own accounts. The users can update the profile like change passwords, and setting up two-factor authentication. Users can also manage sessions as well as view the history of the account. If we enabled social login or identity brokering users can also link their accounts with additional providers to allow them to authenticate to the same account with different identity providers.
User federation is something that uses a single identity across the system. Simply says that we are using Facebook or Google login for most of the application. Keycloak is providing built-in support to connect to existing LDAP or Active Directory servers. We can also implement our own provider if we have users in other stores, such as a relational database or NoSQL Databases.
Single-Sign-On and Single Sign-out
It is a part of the Identity Federation. Users can authenticate by usingKeycloak rather than using own applications. This means that our applications don’t have to deal with login forms, authenticating users, and storing users. Once we logged in to Keycloak, we don’t have to log in again to access a different application. This also applied to logout. Keycloak supports single-sign out, which means users only have to log out from the application, it will automatically log out form the authorized application.
Identity Brokering and Social Login
Keycloak can authenticate users with existing OpenID connect or SAML identity providers. In addition to that, it supports social logins as well such as google, linked-in, Facebook and etc. Only we need to select the social network you want to add. We don’t need any code changes to our application is required. We need only to configure the Identity Provider through the admin console.
In our application, If our role-based authorization does not satisfy our need, Keycloak provides us with a better solution. Keycloak supports us to manage permissions for all our services from the Keycloak admin console and gives us authority to manage the policies whatever need.
Keycloak is based on standard protocols and provides support for OpenID Connect, OAuth 2.0, and SAML. We can integrate our application with keycloak by using any of these protocols.
User Specific Customization
Keycloak is a highly customizable entity. Administrators can customize keycloak from its theme to internal functionalities in order to create a custom requirement by using service provider interfaces, you can program functionalities as you require and add them into the keycloak server as modules. This is a very powerful feature to extend the capabilities of keycloak in a custom manner.
Availability of Number of Connectors (Adapters)
There are many adapters that have been developed for keycloak to integrate with other applications, servers, and frameworks. A few of them are Apache tomcat, spring-boot, and wildfly. It can also be connected with mobile applications as well. We can visit keycloak documentation for the full list of available connectors.
Clustering is used to scale out the keycloak set up so it can handle a large number of user and application requests. Keycloak supports two major clustering methods as standalone clustered mode and domain clustered mode. With standalone clustering mode, we need to configure each server manually, with domain clustered mode we can centrally manage and publish the configuration for our servers. There is another clustering method called Cross-site replication mode, but it is just a technical preview.
We can install the server on Linux or Windows. The server download ZIP
file contains the scripts and binaries to run the Keycloak server.
1. Download keycloak – click here
2. Place the file in a directory wherever you prefer
3. Unpack the ZIP file using the appropriate Unzip utility, such as jar, tar, or unzip. Linux uses the following command
$ unzip keycloak-version.zip
$ tar -xvzf keycloak-version.tar.gz
4. Starting the keycloak server – we need to start the server on the system we installed it.
1. Go to the bin directory of the server distribution.
2. Run the standalone boot script.
$ cd bin
Hope you all guys have some basic ideas about Identity Access Management, why we are using keycloak, what are the features we can have, and how to install it and run it on our local machine. Follow my article and be ready with keycloak installed. In my next article, we will be learning Spring Security Oauth2 with Keycloak.
- Understanding Identity Access Management.
- Single Sign in and Sign out mechanism.
- Identity Brokering and Social Login.
- Keycloak configuration through administration console.
The media shown in this article is not owned by Analytics Vidhya and is used at the Author’s discretion.