Slide 1

Slide 1 text

What’s next in Keycloak, the Open Source IAM? Alexander Schwartz | Principal Software Engineer | Red Hat Keycloak DevDay 2024 | 2024-02-22

Slide 2

Slide 2 text

What is Identity and Access Management (IAM), and do I need one?

Slide 3

Slide 3 text

Authenticate and authorize users for services Login Request Verify token < Token > API Cloud Services

Slide 4

Slide 4 text

A Keycloak Journey Day 1: Single-Sign-On is cool! Day 2: Become flexible in your setup Day 3: Eliminate daily churn

Slide 5

Slide 5 text

Day 1: Single-Sign-On is cool! ● Users need to remember only one password ● Authenticate only once per day ● Add second factor for authentication for security ● Theme the frontend to match your needs Makes sense already for a single application!

Slide 6

Slide 6 text

Make first contact with Keycloak

Slide 7

Slide 7 text

Day 2: Become flexible in your setup ● Integrate LDAP and Kerberos ● Brokerage to existing SAML services ● Brokerage to existing OIDC services ● Integrate existing custom stores ● SCIM integration Reuse the existing user infrastructure!

Slide 8

Slide 8 text

Brokerage to existing services Identity Brokering OpenID Connect SAML v2 Kerberos

Slide 9

Slide 9 text

Skip the form with Kerberos/SNPEGO! This page intentionally left blank.

Slide 10

Slide 10 text

… and use other providers …

Slide 11

Slide 11 text

Use social logins to authenticate Social

Slide 12

Slide 12 text

Use existing user directories via federation OpenLDAP Active Directory User Store User Federation

Slide 13

Slide 13 text

Day 3: Eliminate daily churn ● User required actions ● User password recovery (even when using LDAP) ● Self-registration for users ● User data self-management Resolve the need for calls and tickets!

Slide 14

Slide 14 text

The login screen can do a lot more!

Slide 15

Slide 15 text

Keycloak is an Open Source Identity and Access Management Solution ● Authenticate and authorize users and services ● Configure interactively or fully automated ● Bridge to existing security infrastructures ● Extend and customize as needed ● Run and scale in cloud and non-cloud environments

Slide 16

Slide 16 text

Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus: new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22. Meet me for the book, stickers and postcards!

Slide 17

Slide 17 text

A Keycloak Journey Day 1: Single-Sign-On is cool! Day 2: Become flexible in your setup Day 3: Eliminate daily churn

Slide 18

Slide 18 text

Highlights Keycloak 24 * ● Passkey support evolving ● Load Shedding and Non-Blocking Probes ● Multi-site support with blueprints ● Sizing Guide ● Quarkus 3.8 ● User Profile ● Simplified truststore handling ● Extending the Admin UI via SPI * subject to change

Slide 19

Slide 19 text

Highlights Keycloak 24 * ● Passkey support evolving ● Load Shedding and Non-Blocking Probes ● Multi-site support with blueprints ● Sizing Guide ● Quarkus 3.8 ● User Profile ● Simplified truststore handling ● Extending the Admin UI via SPI * subject to change

Slide 20

Slide 20 text

Loadshedding Well-behaving even when the system receives more requests than it can handle.

Slide 21

Slide 21 text

Loadshedding Well-behaving even when the system receives more requests than it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* * needs to be configured via http-max-queued-requests

Slide 22

Slide 22 text

Loadshedding Well-behaving even when the system receives more requests than it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* Liveness probe Timeout, Pod restarted by Kubernetes Non-Blocking, Pod survives * needs to be configured via http-max-queued-requests

Slide 23

Slide 23 text

● Synchronous database and and Infinispan to avoid data loss ● Low-latency network between sites to avoid long response times ● Active-passive to avoid potential deadlocks in Infinispan Multi-Site support

Slide 24

Slide 24 text

Improvements not only for multi-site setups: ● Sizing Guide (memory, CPU, threads) ● Simplified configuration for a typical external Infinispan setup ● Automated load and failure tests ● Protection against cache stampedes ● AWS Aurora PostgreSQL Multi AZ support (in progress) ● Infinispan and JGroups hardening Multi-Site support

Slide 25

Slide 25 text

Declarative User Profile configuration PLUS: User attributes longer than 255 characters!

Slide 26

Slide 26 text

User Profile for admins, registration, and users

Slide 27

Slide 27 text

Highlights Keycloak 24 * ● Passkey support evolving ● Load Shedding and Non-Blocking Probes ● Multi-site support with blueprints ● Sizing Guide ● Quarkus 3.8 ● User Profile ● Simplified truststore handling ● Extending the Admin UI via SPI * subject to change

Slide 28

Slide 28 text

(my) future wishes

Slide 29

Slide 29 text

Translation tool for UIs First PoC available. Looking for volunteers to take the lead. Please get in touch with me.

Slide 30

Slide 30 text

Better operational experience for Keycloak ● Secure by default ● Metrics for service level objectives ● Seamless upgrades ● Cache consistency Looking forward to your feedback and ideas around this today!

Slide 31

Slide 31 text

● Keycloak https://www.keycloak.org/ ● Keycloak Nightly Release https://github.com/keycloak/keycloak/releases/tag/nightly ● Keycloak Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 ● Keycloak High Availability https://www.keycloak.org/high-availability/introduction ● Keycloak Benchmark https://www.keycloak.org/keycloak-benchmark/ ● Extend Admin UI via SPI https://github.com/keycloak/keycloak-quickstarts/tree/main/extension/extend-admin-console-spi ● Keycloak Hour of Code https://www.meetup.com/keycloak-hour-of-code/ Links

Slide 32

Slide 32 text

Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1de @[email protected]