SSO & IAM Service – KeyCloak, All You Need To Know About

Keycloak is a powerful open-source identity and access management (IAM) solution that offers a wide range of features to secure applications and manage user access. Here’s everything you need to know about Keycloak:

Why Keycloak: 

In today’s digital age, identity management plays a pivotal role in ensuring the security and accessibility of online resources. Whether you’re a business looking to secure your applications or an organization seeking to streamline user access, choosing the right identity management solution is crucial. Among the many options available, Keycloak stands out as a formidable choice. In this article, we’ll explore why Keycloak should be your preferred choice over other identity managers.

Open Source Advantage

One of Keycloak’s most significant advantages is its open-source nature. Developed by Red Hat, Keycloak is released under the Apache License 2.0, making it freely available for anyone to use, modify, and distribute. This open-source approach fosters a vibrant community of developers and users, resulting in continuous improvement and innovation.

Comprehensive Identity and Access Management (IAM)

Keycloak provides a comprehensive set of features for identity and access management. It offers Single Sign-On (SSO), authentication, authorization, and user federation, making it a versatile solution for various use cases. Whether you need to secure web applications, APIs, or mobile apps, Keycloak has you covered. A sample authentication flow is given below:

Integration Support

Keycloak supports a wide range of authentication protocols and standards, including OAuth 2.0, OpenID Connect, SAML, and more. This flexibility allows you to integrate Keycloak seamlessly into your existing infrastructure and interact with various identity providers and services, and the following image illustrates how easily KeyCloak can be integrated with other protocols and platforms:

User-Friendly Interface

Keycloak has an intuitive administration console that simplifies the setup and management of users, roles, and permissions. Even users without extensive technical expertise can efficiently use the platform, reducing the burden on IT teams.

Scalability and High Availability

As your organization grows, so do your identity management needs. Keycloak is designed for scalability and high availability, ensuring it can handle increasing user loads without compromising performance or reliability. You can deploy Keycloak in a clustered configuration to meet the demands of large-scale applications.

Easily Customizable:

Keycloak’s architecture is highly extensible, allowing you to customize its functionality to suit your specific requirements. You can develop custom authentication providers, themes, and plugins, ensuring that Keycloak adapts to your organization’s unique needs.

Security Features:

Security is a top priority for identity management, and Keycloak excels in this area. It offers features like brute-force protection, password policies, and multi-factor authentication (MFA) to enhance the security of your applications and data. Additionally, Keycloak regularly receives security updates and patches to address emerging threats.

Large Community:

Keycloak boasts a robust community of users and developers who actively contribute to its improvement. You can find extensive documentation, forums, and community support to assist with any issues or questions. For enterprise users, Red Hat offers commercial support and services to ensure the highest level of assistance and reliability.

Cost-Efficiency:

Being open-source and freely available, Keycloak significantly reduces the total cost of ownership compared to proprietary identity management solutions. This cost-efficiency is especially attractive for small and medium-sized businesses looking to implement robust identity management without breaking the bank.

Installation 

Get started with Keycloak on Docker

From a terminal, enter the following command to start Keycloak:

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:21.1.1 start-dev

This command starts Keycloak exposed on the local port 8080 and creates an initial admin user with the username admin and password admin.

Create a user once the docker environment is logged in to the admin panel using the same username and password.

1- Create a user

Initially, the realm has no users. Use these steps to create a user:

1. Open the Keycloak Admin Console.
2. Click Users in the left-hand menu.
3. Click Create a new user.
4. Fill in the form with the following values:
   1. Username: testuser1
   2. First name: any first name
   3. Last name: any last name
5. Click Create.

Customize User Attributes

You can also customize the JWT token generated by Keycloak by adding custom attributes, to do so follow these steps: 

1- Once a user is created, go to the attributes section from the top navigation set a value and save it.

2-  Now, create a client; click on the Clients tab on the left navigation bar

3- Now Go to Client Scopes, and select any default or create a new scope, make sure that it’s associated with the client you just created.

Click on a scope, and from the top Navigation bar, select Mappers; you will have a list of attributes listed here

now click on Add mapper, and it will show you two options

1- From predefined mappers
2- By configuration

Select By configuration option

4. Select User Attribute and then provide Users attribute details

Make sure you have enabled Add to access token and user info options, and click save.

The configuration part is now complete, and it is  time to  obtain the access Token

This is the sample curl request:

curl --location --request POST 'http://BASE_URL/realms/YOUR_REALMS_NAME/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'client_id=myclient' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_secret=CLIENT_KEY' \
--data-urlencode 'scope=profile' \
--data-urlencode 'username=testuser1' \
--data-urlencode 'password=PASSWORD'

and the successful response will be as follows:

{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSejlrTk42Y3NTcEVWYVBaeXpKeFgzTlRoYm9CZEhaTW93UkRsX1V6d0N3In0.eyJleHAiOjE2ODM3ODgyMjYsImlhdCI6MTY4Mzc4ODE2NiwianRpIjoiNWJhMGMzZjQtNmM4MS00ZGNlLTk0NTMtNjM4YmY0M2Q5MjBkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiYWUxMzM1MGYtOTNkMC00YTNmLWIzZGItYmUwYzA0YmQ5YWQwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXljbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiOTZiMWE1YzEtOWRlZC00ZDJkLWE3ZDktOWVkODUxZDk4MjI2IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiOTZiMWE1YzEtOWRlZC00ZDJkLWE3ZDktOWVkODUxZDk4MjI2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm9yZ2luaXphdGlvbl9uYW1lIjoiYWJjIiwibmFtZSI6IkZpcnN0IE5hbWUgTGFzdCBOYW1lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdHVzZXIxIiwiZ2l2ZW5fbmFtZSI6IkZpcnN0IE5hbWUiLCJmYW1pbHlfbmFtZSI6Ikxhc3QgTmFtZSIsImVtYWlsIjoidGVzdHVzZXIxQGV4YW1wbGUuY29tIn0.cOrK8ezNxbwjawpxWyvpWEBI6Dbd4hNcFVG2xTC7O5bGB2VaXrrXxBDFIrLqgDPHk5Ww7J9AggGPqDnKQM_jWM26YcK5oQ7UYtNWVyglUxx-uJy7ZaQmmFO25KS6DfUlXkIySoQMK4eeAYU84FCK9HCSdRl4KZJvJQRGQJwCFv0pxn4WBOVNE6wyi49STS34kSFJVTYyslIquMTPPd8-cWAgTxVUqX4liaJfXn44BKA6FfV_I1u_Cq9lwOe-xO8Xy8Fp4QMyIh0g7VFY6TpQAYdiIDfFJGu_pemEFT69zwa-wmkXlKmH0Kx119JUTUIYAAe2JqaTvnpatb8OdSWYMQ",
"expires_in": 60,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkZDAxMTUzNS1iYTUzLTRhMTItYWE0ZC03YjkwOWRmMzZhMmQifQ.eyJleHAiOjE2ODM3ODk5NjYsImlhdCI6MTY4Mzc4ODE2NiwianRpIjoiMTQ0YzQyYTMtZGFkOC00NTMxLTg5ZmUtM2MxNjFiNjliMTE1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL21hc3RlciIsInN1YiI6ImFlMTMzNTBmLTkzZDAtNGEzZi1iM2RiLWJlMGMwNGJkOWFkMCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJteWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI5NmIxYTVjMS05ZGVkLTRkMmQtYTdkOS05ZWQ4NTFkOTgyMjYiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI5NmIxYTVjMS05ZGVkLTRkMmQtYTdkOS05ZWQ4NTFkOTgyMjYifQ.sHOIMtcCNfJpLcdS4mO_BX4kKCcns4VLI3N0_yC7PDQ",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "96b1a5c1-9ded-4d2d-a7d9-9ed851d98226",
"scope": "profile email"
}

Since the token endpoint returns JWT i-e we can decode it using JWT decoder.

As you can after decoding, the access token has custom attributes in it, and you can add multiple custom attributes against a user.

Conclusion

Keycloak stands out  In the domain of identity management by providing ease of open-source adaptability, and supports various identity protocols, including OpenID Connect, OAuth 2.0, and SAML 2.0, which allows integration with a wide range of applications and services, scalability, security, and a big community. By choosing Keycloak over alternative identity management solutions, you can guarantee your digital assets’ safety, availability, and adaptability while maintaining cost efficiency.