Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

More than 10 years ago the Keycloak maintainers committed the first code to their repository. In the following years Keycloak built a growing community offering a flexible Open Source solution for authentication based on OpenID Connect (OIDC), SAML and with integrations into the classic enterprise. The ecosystem of OIDC and customer demands have evolved over the years, and so has Keycloak. After presenting some of the highlights of the latest Keycloak release, this talk focuses on the latest advancements in OIDC like DPoP, OIDC4IDA and FAPI 2.0, as well as Keycloak’s pursuit for scalability, high availability and a great user experience. We’ll also present the work-in-progress topics in a demo.

Alexander Schwartz

November 07, 2023

More Decks by Alexander Schwartz

Other Decks in Programming


  1. 10 Years of Keycloak - What's Next for Cloud-Native Authentication

    and OIDC? Takashi Norimatsu | Senior OSS Specialist | Hitachi Alexander Schwartz | Principal Software Engineer | Red Hat Kubecon NA Chicago | 2023-11-07
  2. • OpenID Connect Protocol Implementation for the server • Services

    and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning
  3. How it changed • Browser Logout changed: OpenID RP-Initiated Logout

    uses the recommended the ID token as a parameter • Backchannel Logout standardized: No longer the need to use the Keycloak proprietary mechanism for clients to register • Lots of frameworks support OIDC: Keycloak deprecated its own client implementations except for the JavaScript client it uses itself in the UI • New Admin UI, soon also new Account UI
  4. Keycloak 22 • Upgrade to Quarkus 3, Hibernate 6 and

    Jakarte EE • Horizontal Pod Autoscaler support when using Keycloak’s Operator • Completed accessibility improvements for the UI • Lots of improvements to the Operator, LDAP, OpenID Connect, Brokering
  5. Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus:

    new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22. Unlock 20% off with code ‘20KEYCLOAK’ for KubeCon attendees on amazon.com and packt.com
  6. Project Pavilion Tuesday, November 7, 11:55am - 12:30pm CST(UTC-6) Challenge

    to Implementing “Scalable” Authorization with Keycloak / By Yoshiyuki Tabata, Hitachi, Ltd. Tuesday, November 7, 2:30pm - 4:00pm CST(UTC-6) Contribfest: Keycloak - Accelerate New Features, Squash Bugs and Learn to Contribute / By Alexander Schwartz & Michal Hajas, Red Hat Wednesday, November 8, 11:55am - 12:30pm CST(UTC-6) Beyond Passwords: Keycloak’s Contributions to IAM (Identity and Access Management) + Security / By Soojin Lee & Hoon Jo, Megazone Tuesday, November 7: 10:30 - 3:30 PM CST Wednesday, November 8: 10:30 - 2:00 PM CST Thursday, November 9: 10:30 - 12:30 PM CST Talks at KubeCon
  7. Keycloak 23 and beyond • Declarative User Profile support •

    DPoP & FAPI 2.0 support • Performance improvements, for example Groups in LDAP • Discontinuation of Keycloak’s map store, instead evolve the current store
  8. Keycloak-Benchmark Project • Benchmarks to calculate CPU and memory requirements

    • Guides to set up Keycloak in a Cross-DC setup with external Infinispan • Operational procedures for failover and switchover
  9. Keycloak OpenID Connect CLI Keycloak OpenID Connect CLI provides a

    CLI interface to obtain tokens from an OpenID Connect provider. • Multiple configuration contexts to easily switch between different providers, flows, accounts, etc. • Supports a range of different OAuth and OpenID Connect flows • Decode JWT tokens into a human-readable JSON representation • Integration with kubectl • Token cache • …
  10. Keycloak is an Open Source Identity and Access Management Solution

    • Authentication Standards implemented and tested • Services and APIs for managing client, users, etc. • Data from a variety of sources (database, LDAP, custom storage) • Self-registration and self-management for users • Use tokens everywhere: For applications, Kubernetes clusters, in the browser and on the command line.
  11. • Keycloak https://www.keycloak.org • Keycloak Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 •

    Keycloak Benchmark https://github.com/keycloak/keycloak-benchmark https://www.keycloak.org/keycloak-benchmark/kubernetes-guide/latest/running/ • Keycloak OpenID Connect CLI https://github.com/stianst/keycloak-oidc-cli#keycloak-openid-connect-cli Links