Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

Alexander Schwartz
November 07, 2023
Programming
0
17

10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?

More than 10 years ago the Keycloak maintainers committed the first code to their repository. In the following years Keycloak built a growing community offering a flexible Open Source solution for authentication based on OpenID Connect (OIDC), SAML and with integrations into the classic enterprise. The ecosystem of OIDC and customer demands have evolved over the years, and so has Keycloak. After presenting some of the highlights of the latest Keycloak release, this talk focuses on the latest advancements in OIDC like DPoP, OIDC4IDA and FAPI 2.0, as well as Keycloak’s pursuit for scalability, high availability and a great user experience. We’ll also present the work-in-progress topics in a demo.

Alexander Schwartz

November 07, 2023
Tweet

More Decks by Alexander Schwartz

See All by Alexander Schwartz
Highly available Identity and Access Management with multi-site Keycloak deployments in the cloud
ahus1
0
11
What's next in Keycloak, the Open Source IAM? (KC24)
ahus1
0
150
Add user self-management, brokerage and federation to your infrastructure with Keycloak
ahus1
0
17
Wie wir unsere Test-Pipeline stabilisierten
ahus1
0
140
Performance-Engpässe finden mit dem Java-Flight-Recorder
ahus1
1
24
Online-Dokumentation, die hilft
ahus1
0
240
AsciiDoc Deep Dive (Deutsch)
ahus1
0
300
Keycloak: the Open Source IAM for Modern Applications
ahus1
0
170
GitHub-APIs: Rezepte für den Entwickler-Alltag
ahus1
0
220

Other Decks in Programming

See All in Programming
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
1
180
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
260
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
540
見た目から始める生産性向上
ikumatadokoro
7
860
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
"config" ってなんだ? / What is "config"?
okashoi
0
240
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
110
エンターテイメント業界で利用されるAWS
demuyan
0
210
VS Code をプロダクトにどう取り込むか
onomax
1
370
PostmanでAPIの動作確認が楽になった話
h455h1
0
170
Elm Form Validation
bkuhlmann
0
510

Featured

See All Featured
Writing Fast Ruby
sferik
621
60k
Building Flexible Design Systems
yeseniaperezcruz
319
37k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
The Invisible Side of Design
smashingmag
294
49k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Building an army of robots
kneath
300
41k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
GitHub's CSS Performance
jonrohan
1025
450k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k

Transcript

  1. 10 Years of Keycloak - What's Next for Cloud-Native Authentication

    and OIDC? Takashi Norimatsu | Senior OSS Specialist | Hitachi Alexander Schwartz | Principal Software Engineer | Red Hat Kubecon NA Chicago | 2023-11-07

  2. Keycloak is an Open Source Identity and Access Management Solution

    * Initial commit 2013-07-02 at 08:38

  3. • OpenID Connect Protocol Implementation for the server • Services

    and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning

  4. How it grew

  5. How it changed • Browser Logout changed: OpenID RP-Initiated Logout

    uses the recommended the ID token as a parameter • Backchannel Logout standardized: No longer the need to use the Keycloak proprietary mechanism for clients to register • Lots of frameworks support OIDC: Keycloak deprecated its own client implementations except for the JavaScript client it uses itself in the UI • New Admin UI, soon also new Account UI

  6. Keycloak 22 • Upgrade to Quarkus 3, Hibernate 6 and

    Jakarte EE • Horizontal Pod Autoscaler support when using Keycloak’s Operator • Completed accessibility improvements for the UI • Lots of improvements to the Operator, LDAP, OpenID Connect, Brokering

  7. Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus:

    new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22. Unlock 20% off with code ‘20KEYCLOAK’ for KubeCon attendees on amazon.com and packt.com

  8. Project Pavilion Tuesday, November 7, 11:55am - 12:30pm CST(UTC-6) Challenge

    to Implementing “Scalable” Authorization with Keycloak / By Yoshiyuki Tabata, Hitachi, Ltd. Tuesday, November 7, 2:30pm - 4:00pm CST(UTC-6) Contribfest: Keycloak - Accelerate New Features, Squash Bugs and Learn to Contribute / By Alexander Schwartz & Michal Hajas, Red Hat Wednesday, November 8, 11:55am - 12:30pm CST(UTC-6) Beyond Passwords: Keycloak’s Contributions to IAM (Identity and Access Management) + Security / By Soojin Lee & Hoon Jo, Megazone Tuesday, November 7: 10:30 - 3:30 PM CST Wednesday, November 8: 10:30 - 2:00 PM CST Thursday, November 9: 10:30 - 12:30 PM CST Talks at KubeCon

  9. Keycloak 23 and beyond • Declarative User Profile support •

    DPoP & FAPI 2.0 support • Performance improvements, for example Groups in LDAP • Discontinuation of Keycloak’s map store, instead evolve the current store

  10. Demo Keycloak Declarative User Profile

  11. Keycloak-Benchmark Project • Benchmarks to calculate CPU and memory requirements

    • Guides to set up Keycloak in a Cross-DC setup with external Infinispan • Operational procedures for failover and switchover

  12. Keycloak OpenID Connect CLI Keycloak OpenID Connect CLI provides a

    CLI interface to obtain tokens from an OpenID Connect provider. • Multiple configuration contexts to easily switch between different providers, flows, accounts, etc. • Supports a range of different OAuth and OpenID Connect flows • Decode JWT tokens into a human-readable JSON representation • Integration with kubectl • Token cache • …

  13. Demo Keycloak OpenID Connect CLI

  14. Keycloak is an Open Source Identity and Access Management Solution

    • Authentication Standards implemented and tested • Services and APIs for managing client, users, etc. • Data from a variety of sources (database, LDAP, custom storage) • Self-registration and self-management for users • Use tokens everywhere: For applications, Kubernetes clusters, in the browser and on the command line.

  15. • Keycloak https://www.keycloak.org • Keycloak Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 •

    Keycloak Benchmark https://github.com/keycloak/keycloak-benchmark https://www.keycloak.org/keycloak-benchmark/kubernetes-guide/latest/running/ • Keycloak OpenID Connect CLI https://github.com/stianst/keycloak-oidc-cli#keycloak-openid-connect-cli Links