Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's next in Keycloak, the Open Source IAM? (...

What's next in Keycloak, the Open Source IAM? (KC24)

Adding authentication and authorization to your application landscape is the key to automate yourprocesses and enable new business capabilities. All of this requires APIs and services for administration and automation which only an Identity and Access Management solution can provide.
More than 10 years ago the Keycloak maintainers committed the first code to their repository. In the following years Keycloak built a growing community by offering a flexible Open Source IAM. You can use it both out of the box or extend it to fit your organization’s needs.
After presenting some of the highlights of the latest Keycloak release, this talk focuses on the advancements in OpenID Connect, as well as Keycloak’s pursuit for scalability, high availability and customizability via declarative user profiles.

Alexander Schwartz

February 22, 2024
Tweet

More Decks by Alexander Schwartz

Other Decks in Technology

Transcript

  1. What’s next in Keycloak, the Open Source IAM? Alexander Schwartz

    | Principal Software Engineer | Red Hat Keycloak DevDay 2024 | 2024-02-22
  2. A Keycloak Journey Day 1: Single-Sign-On is cool! Day 2:

    Become flexible in your setup Day 3: Eliminate daily churn
  3. Day 1: Single-Sign-On is cool! • Users need to remember

    only one password • Authenticate only once per day • Add second factor for authentication for security • Theme the frontend to match your needs Makes sense already for a single application!
  4. Day 2: Become flexible in your setup • Integrate LDAP

    and Kerberos • Brokerage to existing SAML services • Brokerage to existing OIDC services • Integrate existing custom stores • SCIM integration Reuse the existing user infrastructure!
  5. Day 3: Eliminate daily churn • User required actions •

    User password recovery (even when using LDAP) • Self-registration for users • User data self-management Resolve the need for calls and tickets!
  6. Keycloak is an Open Source Identity and Access Management Solution

    • Authenticate and authorize users and services • Configure interactively or fully automated • Bridge to existing security infrastructures • Extend and customize as needed • Run and scale in cloud and non-cloud environments
  7. Keycloak Book: 2nd Edition! Based on Keycloak 22 and Quarkus:

    new and improved user experience and a new admin console with a higher focus on usability. You will see how to leverage Spring Security, instead of the Keycloak Spring adapter while using Keycloak 22. Meet me for the book, stickers and postcards!
  8. A Keycloak Journey Day 1: Single-Sign-On is cool! Day 2:

    Become flexible in your setup Day 3: Eliminate daily churn
  9. Highlights Keycloak 24 * • Passkey support evolving • Load

    Shedding and Non-Blocking Probes • Multi-site support with blueprints • Sizing Guide • Quarkus 3.8 • User Profile • Simplified truststore handling • Extending the Admin UI via SPI * subject to change
  10. Highlights Keycloak 24 * • Passkey support evolving • Load

    Shedding and Non-Blocking Probes • Multi-site support with blueprints • Sizing Guide • Quarkus 3.8 • User Profile • Simplified truststore handling • Extending the Admin UI via SPI * subject to change
  11. Loadshedding Well-behaving even when the system receives more requests than

    it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* * needs to be configured via http-max-queued-requests
  12. Loadshedding Well-behaving even when the system receives more requests than

    it can handle. Action Behavior before Behavior after Incoming requests Requests queue up, delayed response, client times out. Limit the queue, fail fast for excessive requests* Liveness probe Timeout, Pod restarted by Kubernetes Non-Blocking, Pod survives * needs to be configured via http-max-queued-requests
  13. • Synchronous database and and Infinispan to avoid data loss

    • Low-latency network between sites to avoid long response times • Active-passive to avoid potential deadlocks in Infinispan Multi-Site support
  14. Improvements not only for multi-site setups: • Sizing Guide (memory,

    CPU, threads) • Simplified configuration for a typical external Infinispan setup • Automated load and failure tests • Protection against cache stampedes • AWS Aurora PostgreSQL Multi AZ support (in progress) • Infinispan and JGroups hardening Multi-Site support
  15. Highlights Keycloak 24 * • Passkey support evolving • Load

    Shedding and Non-Blocking Probes • Multi-site support with blueprints • Sizing Guide • Quarkus 3.8 • User Profile • Simplified truststore handling • Extending the Admin UI via SPI * subject to change
  16. Translation tool for UIs First PoC available. Looking for volunteers

    to take the lead. Please get in touch with me.
  17. Better operational experience for Keycloak • Secure by default •

    Metrics for service level objectives • Seamless upgrades • Cache consistency Looking forward to your feedback and ideas around this today!
  18. • Keycloak https://www.keycloak.org/ • Keycloak Nightly Release https://github.com/keycloak/keycloak/releases/tag/nightly • Keycloak

    Book 2nd Edition https://www.packtpub.com/product/kc/9781804616444 • Keycloak High Availability https://www.keycloak.org/high-availability/introduction • Keycloak Benchmark https://www.keycloak.org/keycloak-benchmark/ • Extend Admin UI via SPI https://github.com/keycloak/keycloak-quickstarts/tree/main/extension/extend-admin-console-spi • Keycloak Hour of Code https://www.meetup.com/keycloak-hour-of-code/ Links