Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 Years of Keycloak - What's Next for Cloud-Na...

Alexander Schwartz
November 07, 2023
Programming
0
95

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

More than 10 years ago the Keycloak maintainers committed the first code to their repository. In the following years Keycloak built a growing community offering a flexible Open Source solution for authentication based on OpenID Connect (OIDC), SAML and with integrations into the classic enterprise. The ecosystem of OIDC and customer demands have evolved over the years, and so has Keycloak. After presenting some of the highlights of the latest Keycloak release, this talk focuses on the latest advancements in OIDC like DPoP, OIDC4IDA and FAPI 2.0, as well as Keycloak’s pursuit for scalability, high availability and a great user experience. We’ll also present the work-in-progress topics in a demo.

Alexander Schwartz

November 07, 2023
Tweet

More Decks by Alexander Schwartz

See All by Alexander Schwartz
Evolving real-world AsciiDoc into a specification and how it will help the ecosystem
ahus1
1
70
Online-Dokumentation, die hilft: Strukturen, Prozesse, Tools
ahus1
0
88
What’s new in Keycloak, the open source IAM?
ahus1
1
170
Running a highly available Identity and Access Management with Keycloak
ahus1
0
100
Automatisiere deine Prozesse mit GitHub Actions!
ahus1
0
330
Highly available Identity and Access Management with multi-site Keycloak deployments in the cloud
ahus1
0
7.9k
Documentation for users with AsciiDoc and Antora
ahus1
0
500
What's next in Keycloak, the Open Source IAM? (KC24)
ahus1
0
390
Add user self-management, brokerage and federation to your infrastructure with Keycloak
ahus1
0
72

Other Decks in Programming

See All in Programming
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
310
イベント駆動で成長して委員会
happymana
1
320
CSC509 Lecture 11
javiergs
PRO
0
180
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
ペアーズにおけるAmazon Bedrockを⽤いた障害対応⽀援 ⽣成AIツールの導⼊事例 @ 20241115配信AWSウェビナー登壇
fukubaka0825
6
1.8k
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
110
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
1
110
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
600
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
6
1.7k
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
290

Featured

See All Featured
Designing the Hi-DPI Web
ddemaree
280
34k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
A Tale of Four Properties
chriscoyier
156
23k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
RailsConf 2023
tenderlove
29
900
BBQ
matthewcrist
85
9.3k
4 Signs Your Business is Dying
shpigford
180
21k
Happy Clients
brianwarren
98
6.7k

Transcript

  1. 10 Years of Keycloak - What's Next for Cloud-Native Authentication

    and OIDC? Takashi Norimatsu | Senior OSS Specialist | Hitachi Alexander Schwartz | Principal Software Engineer | Red Hat Kubecon NA Chicago | 2023-11-07

  2. Keycloak is an Open Source Identity and Access Management Solution

    * Initial commit 2013-07-02 at 08:38

  3. • OpenID Connect Protocol Implementation for the server • Services

    and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning

  4. How it grew

  5. How it changed • Browser Logout changed: OpenID RP-Initiated Logout

    uses the recommended the ID token as a parameter • Backchannel Logout standardized: No longer the need to use the Keycloak proprietary mechanism for clients to register • Lots of frameworks support OIDC: Keycloak deprecated its own client implementations except for the JavaScript client it uses itself in the UI • New Admin UI, soon also new Account UI

  6. Keycloak 22 • Upgrade to Quarkus 3, Hibernate 6 and

    Jakarte EE • Horizontal Pod Autoscaler support when using Keycloak’s Operator • Completed accessibility improvements for the UI • Lots of improvements to the Operator, LDAP, OpenID Connect, Brokering

  7. Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus:

    new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22. Unlock 20% off with code ‘20KEYCLOAK’ for KubeCon attendees on amazon.com and packt.com

  8. Project Pavilion Tuesday, November 7, 11:55am - 12:30pm CST(UTC-6) Challenge

    to Implementing “Scalable” Authorization with Keycloak / By Yoshiyuki Tabata, Hitachi, Ltd. Tuesday, November 7, 2:30pm - 4:00pm CST(UTC-6) Contribfest: Keycloak - Accelerate New Features, Squash Bugs and Learn to Contribute / By Alexander Schwartz & Michal Hajas, Red Hat Wednesday, November 8, 11:55am - 12:30pm CST(UTC-6) Beyond Passwords: Keycloak’s Contributions to IAM (Identity and Access Management) + Security / By Soojin Lee & Hoon Jo, Megazone Tuesday, November 7: 10:30 - 3:30 PM CST Wednesday, November 8: 10:30 - 2:00 PM CST Thursday, November 9: 10:30 - 12:30 PM CST Talks at KubeCon

  9. Keycloak 23 and beyond • Declarative User Profile support •

    DPoP & FAPI 2.0 support • Performance improvements, for example Groups in LDAP • Discontinuation of Keycloak’s map store, instead evolve the current store

  10. Demo Keycloak Declarative User Profile

  11. Keycloak-Benchmark Project • Benchmarks to calculate CPU and memory requirements

    • Guides to set up Keycloak in a Cross-DC setup with external Infinispan • Operational procedures for failover and switchover

  12. Keycloak OpenID Connect CLI Keycloak OpenID Connect CLI provides a

    CLI interface to obtain tokens from an OpenID Connect provider. • Multiple configuration contexts to easily switch between different providers, flows, accounts, etc. • Supports a range of different OAuth and OpenID Connect flows • Decode JWT tokens into a human-readable JSON representation • Integration with kubectl • Token cache • …

  13. Demo Keycloak OpenID Connect CLI

  14. Keycloak is an Open Source Identity and Access Management Solution

    • Authentication Standards implemented and tested • Services and APIs for managing client, users, etc. • Data from a variety of sources (database, LDAP, custom storage) • Self-registration and self-management for users • Use tokens everywhere: For applications, Kubernetes clusters, in the browser and on the command line.

  15. • Keycloak https://www.keycloak.org • Keycloak Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 •

    Keycloak Benchmark https://github.com/keycloak/keycloak-benchmark https://www.keycloak.org/keycloak-benchmark/kubernetes-guide/latest/running/ • Keycloak OpenID Connect CLI https://github.com/stianst/keycloak-oidc-cli#keycloak-openid-connect-cli Links