Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

More than 10 years ago the Keycloak maintainers committed the first code to their repository. In the following years Keycloak built a growing community offering a flexible Open Source solution for authentication based on OpenID Connect (OIDC), SAML and with integrations into the classic enterprise. The ecosystem of OIDC and customer demands have evolved over the years, and so has Keycloak. After presenting some of the highlights of the latest Keycloak release, this talk focuses on the latest advancements in OIDC like DPoP, OIDC4IDA and FAPI 2.0, as well as Keycloak’s pursuit for scalability, high availability and a great user experience. We’ll also present the work-in-progress topics in a demo.

Alexander Schwartz

November 07, 2023
Tweet

More Decks by Alexander Schwartz

Other Decks in Programming

Transcript

  1. 10 Years of Keycloak - What's Next for
    Cloud-Native Authentication and OIDC?
    Takashi Norimatsu | Senior OSS Specialist | Hitachi
    Alexander Schwartz | Principal Software Engineer | Red Hat
    Kubecon NA Chicago | 2023-11-07

    View full-size slide

  2. Keycloak is an Open Source
    Identity and Access Management Solution
    * Initial commit 2013-07-02 at 08:38

    View full-size slide

  3. ● OpenID Connect Protocol Implementation for the server
    ● Services and database to store information about clients and identities
    ● From Developers for Developers
    Soon after that:
    ● Multi Factor authentication
    ● Client libraries
    ● SAML, LDAP, …
    Keycloak at the Beginning

    View full-size slide

  4. How it changed
    ● Browser Logout changed: OpenID RP-Initiated Logout uses the
    recommended the ID token as a parameter
    ● Backchannel Logout standardized: No longer the need to use the Keycloak
    proprietary mechanism for clients to register
    ● Lots of frameworks support OIDC: Keycloak deprecated its own client
    implementations except for the JavaScript client it uses itself in the UI
    ● New Admin UI, soon also new Account UI

    View full-size slide

  5. Keycloak 22
    ● Upgrade to Quarkus 3, Hibernate 6 and Jakarte EE
    ● Horizontal Pod Autoscaler support when using Keycloak’s Operator
    ● Completed accessibility improvements for the UI
    ● Lots of improvements to the Operator, LDAP, OpenID Connect, Brokering

    View full-size slide

  6. Keycloak Book: 2nd Edition!
    Based on Keycloak 22 and Quarkus:
    new and improved user experience
    and a new admin console with a
    higher focus on usability. You will see
    how to leverage Spring Security,
    instead of the Keycloak Spring
    adapter while using Keycloak 22.
    Unlock 20% off with
    code ‘20KEYCLOAK’ for
    KubeCon attendees on
    amazon.com and
    packt.com

    View full-size slide

  7. Project Pavilion
    Tuesday, November 7, 11:55am - 12:30pm CST(UTC-6)
    Challenge to Implementing “Scalable” Authorization with
    Keycloak / By Yoshiyuki Tabata, Hitachi, Ltd.
    Tuesday, November 7, 2:30pm - 4:00pm CST(UTC-6)
    Contribfest: Keycloak - Accelerate New Features, Squash
    Bugs and Learn to Contribute / By Alexander Schwartz &
    Michal Hajas, Red Hat
    Wednesday, November 8, 11:55am - 12:30pm CST(UTC-6)
    Beyond Passwords: Keycloak’s Contributions to IAM (Identity
    and Access Management) + Security / By Soojin Lee & Hoon
    Jo, Megazone
    Tuesday, November 7:
    10:30 - 3:30 PM CST
    Wednesday, November 8:
    10:30 - 2:00 PM CST
    Thursday, November 9:
    10:30 - 12:30 PM CST
    Talks at KubeCon

    View full-size slide

  8. Keycloak 23 and beyond
    ● Declarative User Profile support
    ● DPoP & FAPI 2.0 support
    ● Performance improvements, for example Groups in LDAP
    ● Discontinuation of Keycloak’s map store, instead evolve the current store

    View full-size slide

  9. Demo Keycloak Declarative User Profile

    View full-size slide

  10. Keycloak-Benchmark Project
    ● Benchmarks to calculate CPU and memory requirements
    ● Guides to set up Keycloak in a Cross-DC setup with external Infinispan
    ● Operational procedures for failover and switchover

    View full-size slide

  11. Keycloak OpenID Connect CLI
    Keycloak OpenID Connect CLI provides a CLI interface to obtain tokens from
    an OpenID Connect provider.
    ● Multiple configuration contexts to easily switch between different providers,
    flows, accounts, etc.
    ● Supports a range of different OAuth and OpenID Connect flows
    ● Decode JWT tokens into a human-readable JSON representation
    ● Integration with kubectl
    ● Token cache
    ● …

    View full-size slide

  12. Demo Keycloak OpenID Connect CLI

    View full-size slide

  13. Keycloak is an Open Source
    Identity and Access Management Solution
    ● Authentication Standards implemented and tested
    ● Services and APIs for managing client, users, etc.
    ● Data from a variety of sources (database, LDAP, custom
    storage)
    ● Self-registration and self-management for users
    ● Use tokens everywhere: For applications, Kubernetes
    clusters, in the browser and on the command line.

    View full-size slide

  14. ● Keycloak
    https://www.keycloak.org
    ● Keycloak Book 2nd Edition
    https://www.packtpub.com/product/kc/9781804616444
    ● Keycloak Benchmark
    https://github.com/keycloak/keycloak-benchmark
    https://www.keycloak.org/keycloak-benchmark/kubernetes-guide/latest/running/
    ● Keycloak OpenID Connect CLI
    https://github.com/stianst/keycloak-oidc-cli#keycloak-openid-connect-cli
    Links

    View full-size slide