Keycloak Part-1: What is Keycloak?
This is a part of a series of blogs that talk about Keycloak as a tool. Have a look at the complete series below:-
In this blog, we would be having a basic discussion about Keycloak like:-
- What is Keycloak?
- Why Keycloak?
- Features offered by Keycloak
- Tech stack of Keycloak
- When not to go for Keycloak
- Some alternatives of Keycloak
- Which Organization is backing this tool?
- Some popular organizations which are using Keycloak
- The most important question: Is it paid or free? Can we use it in production?
What is Keycloak?
Official documentation says
Keycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.
In simple terms ... it is software that will manage the complete user storage and authentication for you. You don't have to store and manage users ... all that would be done by Keycloak. Further, it offers a lot of features out of the box for user management.
Security is a sensitive topic and as software developers, we usually like to build stuff and think less of making them secure. So, in that case, we can use Keycloak as a system that provides almost all of these functionalities out of the box. So, you can focus more on other aspects of the software. Further, it is backed by Red Hat and is already being used by a lot of organizations for this same task. We will talk about this later in this blog.
Features offered by Keycloak
- Single Sign-On
- We can have a single login place for various services that we are offering.
- For eg:- Take the case of Google. Once you log into your google account ... then you don't need to log in to use any other service like Youtube, Gmail, Drive, etc. ... So, as you can see, multiple apps use the same software. So using the Single Sign-On feature, we can have multiple apps that have the same user-base and once a user signed in, he can work with multiple apps.
- Social Login
- Keycloak provides features such as Login with Facebook, Google, and any possible OAuth Service Providers out of the box and no coding is required.
- Supports Open ID Connect and SAML2.0
- OpenID is an open standard and decentralized authentication protocol
- SAML is a standard that allows Identity Providers (IdP) to pass authorization credentials to service providers in XML.
- Fine-grained authorization
- You can specify the various level of roles for users here
- Easy installation and deployment steps
- For installation purpose, it gives a standalone file which can be run directly in any system. The only requirement is Java installed on your system.
- For deployment purposes, it provides a dockerized version also which you can use to deploy directly.
It has a good UI for managing the users with ease
It has a cool UI, which can be used for basic user management. Have a look at some of them below:-
- Good API support
- You can use the Admin API provided by Keycloak, to integrate it with your system. Almost all the things which you can do using the UI has an admin API.
- Add more extensions, as per your need
- For example:- If you want to have an Event Listener for everything that is happening and then perform a corresponding action based on that event, then you can use create an extension for a custom event listener.
- This is just one example, you can do a lot with the extensions, to add features that you require and are not present in Keycloak presently.
- You can have a look at some Keycloak Extensions here.
Tech Stack of Keycloak
Keycloak is build using Java. And it runs on the JBoss server (now renamed as Wildfly). JBoss is a complete Java EE server and Keycloak makes use of the complete JBoss Java EE stack. Yeah, you'll find some blogs about converting Keycloak to Tomcat ... but they are quite old blogs, back from when Keycloak was just born, and with time Keycloak has evolved a lot at a fast scale.
When not to go for Keycloak
- Keycloak works only on JBoss Server and it a complete Java EE server as compared to Tomcat which is a servlet container and web server and does not implement the complete Java EE stack and because of this it is a lightweight server. Going with a complete Java EE Stack Server might have its own downsides in the longer run.
- If you want to have a lot more control over what is happening inside and want to do a lot more customization than what is present.
- When Keycloak is just an over-kill as compared to the features you require.
Some alternatives of Keycloak
If you want to understand the service, it's good to look at its competitors. Some of the things that provide a similar service are:-
- Okta and Auth0
- Okta and Auth0 both are quite similar services that provide almost the same product. It comes with the advantage that you don't have to manage anything for users from your side. Just store the user ids and all the verification would be done by them.
- But, they are a paid service and have a Fremium business model (i.e. initially it would be free up to a certain number of users you have for your service, and then they can start charging per user). Further, if we use an external service, the user credentials might be stored on their end and not on our end ... which you might not like for certain use cases. Further, If they go down ... due to any cause, no one can log into your app.
- Compared to this, Keycloak would provide you a docker container and all the data would be store locally in your database only.
- Gluu is also an open-source IAM like Keycloak. Unlike Keycloak, which does not have any paid support ... Gluu provides paid support in form of various services. Further, Gluu has published some blogs comparing it with Keycloak here.
- Keycloak as a project is quite big and has a lot of documentation and community support. If you see, there GitHub Version release ... they are actively working on the project as of now.
I myself cannot compare deeply with Gluu, since I haven't explored Gluu as of now.
Which Organization is backing this tool?
Keycloak is backed by Red Hat. And just for info, Red Hat became a subsidiary of IBM recently in 2019.
Some popular organizations which are using Keycloak
Keycloak official repository lists the organizations who are officially using Keycloak. Some of the popular names in the list are:-
- Hewlett-Packard Enterprise
- Red Hat uses the same product and provides paid service as Red-Hat Single Sign-On
The most important question: Is it paid or free? Can we use it in production?
Keycloak is open-source software. So, its codebase is available for free to use and modify. But wait... Every open-source software is not free to use. It depends on the type of License it using. You can have a look at the license of Keycloak here on Github and as you can see ... it provides permission for Commercial Use. As I have provided the list of organizations, which means Keycloak is already being used in production.
That's all for this blog. I hope you would have got a good idea of Keycloak as a tool. We'll discuss more about the tool in the following blogs.
Thank you for reading! Do share your feedback and suggestions in the comments below.