Featured image for security.

Continuing our mission to better support enterprise developers in securing modern applications, APIs, and services with minimum effort, Red Hat has released version 22.0 of the Red Hat build of Keycloak.

The Red Hat build of Keycloak is a cloud-native Identity and Access Management (IAM) solution based on the Keycloak distribution powered by Quarkus. The Red Hat build of Keycloak replaces any plans for a future single sign-on (8.0 or higher) features release. Red Hat build of Keycloak is faster, more flexible, and optimized for running in the hybrid-cloud environment, while preserving the power and functionality of single sign-on.

The release version 22.0 of Red Hat build of Keycloak has a number of great features and performance improvements, including tools to improve developer productivity. Let’s take a look at the key highlights of this release. For a complete list of new features, check out the official Red Hat build of Keycloak 22.0 release notes.

Cloud-friendly and faster

By leveraging the continuous improvements in the Quarkus framework for better performance and efficiency, Keycloak has significantly reduced its server startup time and memory footprint. Compared to the legacy Wildfly-based distribution, a Keycloak now running on top of Quarkus has a smaller distribution size with less dependencies, a faster start-up time (less cpu), and lower server memory footprint (heap and metaspace).

The total size of the new distribution is almost half the size of the legacy Wildfly-based distribution. A performance benchmark for a very simple comparison between Keycloak running on Quarkus and Wildfly showed a significant gain on both startup time and memory footprint, nearly 50%.

With these improvements, a Red Hat build of Keycloak provides users with a cloud-friendly IAM solution that is optimized for running in the hybrid cloud. It enables users for a cloud efficiency IAM deployment with cost savings and faster time to market.

Better usability

The new Keycloak distribution has a strong focus on usability. Users should expect a better experience when configuring and starting the server as well as when performing other common operations. There is a new CLI tool (kc.sh) providing a simpler configuration procedure using interactive command-line help instead of editing opaque and complex XML files like in the single sign-on (a legacy Wildfly-based Keycloak distribution).

Users can choose from multiple configuration sources, such as a file, CLI, environment variables, or an encrypted KeyStore. Red Hat build of Keycloak can load the server’s configuration from five different sources with an order of application.

In the context of Quarkus, Keycloak is essentially a Quarkus extension under the hood, so it can provide developers with more flexibility and modularity in the Quarkus ecosystem. Using Keycloak with Quarkus should be enjoyable for developers to build and add better custom providers extensions into the Red Hat build of Keycloak.

Improved security

Considering how critical an IAM solution is and the impact of misconfiguration on the overall security of the deployment, Red Hat build of Keycloak comes with the minimal configuration possible with a secure-by-default policy in mind. The idea is to provide the bare minimum configuration options to run the server while imposing some key constraints on how the configuration should be set before running in production. There is clear separation between development, testing, and production runtimes.

Users can now start the Keycloak server in development mode or production mode. Each mode offers different defaults for the intended environment, but with more opinionated settings for the production mode. For instance, the production mode expects a hostname and a HTTPS/TLS setup to be available when starting the server. Without those further configurations, the kc.sh CLI tool will not start Keycloak and shows an error instead.

FIPS 140-2 support

Red Hat build of Keycloak 22.0 provides support for deploying and running Keycloak into a FIPS 140-2 enabled environment. The Federal Information Processing Standard Publication (FIPS) is a U.S. government computer security standard used to approve cryptographic modules. Red Hat build of Keycloak 22.0 supports running in FIPS 140-2 compliant mode. In this case, the Keycloak server will use only FIPS approved cryptographic algorithms for its functionality.

New admin console

Red Hat build of Keycloak 22.0 comes with a new admin console that provides an extensive and friendly interface for administrators and developers to configure and manage Keycloak. The new admin console is based on Patternfly and enables consistency and usability across the whole admin console pages for a better user experience and accessibility enhancements.

A new Java-based operator

The release 22.0 of Red Hat build of Keycloak includes a new operator for deploying and running Keycloak in Red Hat OpenShift environments. The new operator is now a Java-based operator, rewritten from scratch using the Java Operator SDK as compared to the legacy Go-based single sign-on operator.

The new operator brings more flexibility and better architecture that shares business objects with the Keycloak main codebase. This increases the code-reuse and dramatically reduces the chances of introducing bugs in the translation process from Kubernetes resources. Also, the container image provides greater security for the operator by making the image based on UBI9 rather than UBI8 and using a UBI micro image, which helps reduce the attack surface. The new operator embraces the new cloud native capabilities of the Keycloak Quarkus distribution from the ground up, improving the overall user experience.

Getting support

Support for Red Hat build of Keycloak is available to Red Hat customers through a subscription. Contact your local Red Hat representative or Red Hat Sales for details on how to enjoy world-class support offered by Red Hat and its worldwide partner network. Customers can expect support for Red Hat Build of Keycloak and other runtimes according to the Red Hat Product Update and Support Lifecycle.

Get started with Red Hat build of Keycloak

Red Hat build of Keycloak 22.0 comes with many other features and improvements highlighted in the release notes. Ready to get started with Red Hat build of Keycloak? Here are more useful links to get you started:

Last updated: November 20, 2023