Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What’s new in Keycloak, the open source IAM?

What’s new in Keycloak, the open source IAM?

Authentication and authorization are keys to automation and new business capabilities. All of this requires APIs and services that an Identity and Access Management (IAM) solution can provide.

After presenting some highlights of the latest Keycloak version, this talk will focus on changes to OpenID Connect and Keycloak's capabilities around scalability, high availability and customizability via declarative user profiles. Additionally, features that are currently under development and planned for one of the next Keycloak versions will be presented.

Alexander Schwartz

September 23, 2024
Tweet

More Decks by Alexander Schwartz

Other Decks in Technology

Transcript

  1. Authenticate, authorize and manage users for services Request < Token

    > API Cloud Services • Manage users, credentials, permissions, ... • Handle user registration, password reset, … • Integrate to existing security infrastructure
  2. Keycloak is an Open Source Identity and Access Management Solution

    Initial commit 2013-07-02 Cloud Native Computing Foundation Incubating project since April 2023 Apache License, Version 2.0 22k GitHub stars
  3. • OpenID Connect Protocol Implementation for the server • Services

    and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning
  4. A Keycloak Journey Day 0: Getting started as a developer

    Day 1: Single-Sign-On is cool! Day 2: Become flexible in your setup Day 3: Eliminate daily churn
  5. Day 0: Getting started as a developer • Run a

    single container (inside or outside Kubernetes) or extract an archive • Works with Testcontainers • Configure using CLI, API, Web UI or export/import a realm using JSON for identical environments Makes sense already for a single application!
  6. Running Keycloak as a developer docker run --name keycloak -p

    8080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=change_me \ quay.io/keycloak/keycloak:latest \ start-dev docker run --name keycloak_w_import -p 8080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=change_me \ -v /path/to/realm/data:/opt/keycloak/data/import \ quay.io/keycloak/keycloak:latest \ start-dev --import-realm
  7. Starting Keycloak, Quarkus Edition start-dev start build start --optimized Development

    Simple Deployment Prepare Deployment Performant Deployment • Medium Performance • Not secure/ no TLS • TLS Certificates required • Slow start • Good run-time performance • Build configuration known (database, features, …) • TLS Certificates required • Fast start • Good run-time performance
  8. Day 1: Single-Sign-On is cool! • Users need to remember

    only one password • Authenticate only once per day • Add second factor for authentication for security • Theme the frontend to match your needs Makes sense already for a single application!
  9. Day 2: Become flexible in your setup • Integrate LDAP

    and Kerberos • Brokerage to existing SAML services • Brokerage to existing OIDC services • Integrate existing custom stores • SCIM integration Reuse the existing user infrastructure!
  10. From the Server developer guide: • Customize the theme •

    Configure login flows • Add new required actions • Create event listener • Supply mappers for federations • Connect any custom user storage Customize to your needs
  11. Day 3: Eliminate daily churn • User required actions •

    User password recovery (even when using LDAP) • Self-registration for users • User data self-management Resolve the need for calls and tickets!
  12. Powerful required actions in the login flow • Configure One

    Time Passwords • WebAuthn Register • Terms and Conditions • Update Password • Update Profile • Verify Email • … … or build your own! …
  13. A Keycloak Journey Day 0: Getting started as a developer

    Day 1: Single-Sign-On is cool! Day 2: Become flexible in your setup Day 3: Eliminate daily churn
  14. Keycloak is an Open Source Identity and Access Management Solution

    • Authenticate and authorize users and services • Configure interactively or fully automated • Bridge to existing security infrastructures • Extend and customize as needed • Run and scale in cloud and non-cloud environments
  15. Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus:

    new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22.
  16. Highlights Keycloak 24 • Passkey support evolving • Load Shedding

    and Non-Blocking Probes • Multi-site support with blueprints • Sizing Guide • Quarkus 3.8 • User Profile • Simplified truststore handling • Extending the Admin UI via SPI (experimental)
  17. Loadshedding Well-behaving even when the system receives more requests than

    it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* * needs to be configured via http-max-queued-requests
  18. Loadshedding Well-behaving even when the system receives more requests than

    it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* Liveness probe Timeout, Pod restarted by Kubernetes Non-Blocking, Pod survives * needs to be configured via http-max-queued-requests
  19. • Synchronous database and and Infinispan to avoid data loss

    • Low-latency network between sites to avoid long response times • Active-passive to avoid potential deadlocks in Infinispan Multi-Site support
  20. Improvements not only for multi-site setups: • Sizing Guide (memory,

    CPU, threads) • Simplified configuration for a typical external Infinispan setup • Automated load and failure tests • Protection against cache stampedes • AWS Aurora PostgreSQL Multi AZ support • Infinispan and JGroups hardening Multi-Site support
  21. Highlights Keycloak 25 • Argon2 password hashing • Simplified hostname

    configuration • Persistent user sessions (preview) • Passkeys improvements (preview) • Separate management port for health and metrics • Organizations (preview) • OpenJDK 21
  22. Highlights Keycloak 26* • Infinispan marshalling changed to ProtoStream •

    Quarkus 3.15.x • Persistent User Sessions (by default) • Keycloak multi-site setup in Active/Active mode • Keycloak Admin user recovery • OpenTelemetry tracing support (preview) • Removal of legacy cookies • Organizations (supported and by default) * Subject to change
  23. Admin user recovery • Use CLI arguments of environment variables

    to create a temporary admin user or service account. • Use it to create the initial admin user, or to regain access to the existing admin user.
  24. Community News • Adaptive Authentication Proof-of-Concept • BundID extension •

    Keycloak OAuth Special Interest Group • Keycloak SRE Special Interest Group
  25. Adaptive Authentication Proof-of-Concept • Decide on second factors or deny

    access based on context information • Extend it using your custom decision engines and rules • Allow for risk-based authentication • Manage different sources and policies using the Keycloak Admin UI Presented at KeyConf 2024. Video and slides available on https://keyconf.dev/, source code available at https://github.com/mabartos/keycloak-adaptive-authn
  26. BundID Extension Two community extensions exist to integrate with BundID

    • https://github.com/opdt/keycloak-extension-bundid • https://gitlab.opencode.de/opendva/bundid-plugin-for-keycloak
  27. Conferences & Events KubeCon North America Salt Lake City (US)

    2024-11-12…15 https://events.linuxfoundation.org/ KeyConf24 Vienna (AT) & Online 2024-09-19 https://keyconf.dev/ Keycloak DevDay Darmstadt (DE) 2025-03-06 https://keycloak-day.dev/ Meetup Keycloak Hour of Code Online Every 1-2 months https://www.meetup.com/ keycloak-hour-of-code/
  28. Community Links CNCF Slack #keycloak #keycloak-dev https://slack.cncf.io/ Keycloak https://keycloak.org/ Keycloak

    Community Discourse Forum GitHub Discussion Mailing Lists https://www.keycloak.org/community Keycloak OAuth SIG #keycloak-oauth-sig https://github.com/keycloak/kc-sig-fapi Keycloak SRE SIG #keycloak-sre-sig https://github.com/keycloak/keycloak-sre-sig/
  29. • Keycloak https://www.keycloak.org/ • Keycloak Nightly Release https://github.com/keycloak/keycloak/releases/tag/nightly • Keycloak

    Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 • Keycloak High Availability https://www.keycloak.org/high-availability/introduction • Keycloak Benchmark https://www.keycloak.org/keycloak-benchmark/ • Extend Admin UI via SPI https://github.com/keycloak/keycloak-quickstarts/tree/main/extension/extend-admin-console- spi • Keycloak Hour of Code https://www.meetup.com/keycloak-hour-of-code/ Links Slides: