KeyCloak is the upstream project for the newly released Red Hat Single Sign On (SSO) product. The project and product goes well beyond a traditional SAML Identity Provider, supporting federation protocols such as OAuth 2.0 and OpenID Connect. While it is built upon JBoss EAP 7, both KeyCloak and RH-SSO are designed to be standalone systems for providing website authentication and authorization services. In fact, Red Hat believes in RH-SSO so much, that we just switched the authentication system for the high traffic Red Hat properties to use this new product (more on this tomorrow).
Steven Pousty from Red Hat takes us through how to secure multiple microservices with a central KeyCloak instance. Slides of the presentation can be found here.
The idea behind microservices is that you break down services into the smallest component that makes sense, basically one functional area per service. No sneaky back doors, everything goes through APIs and messaging services. No specific technology is required for microservices.
Authentication used to happen at the application service in a monolithic application. However, with microservices, authenticated is handled by a dedicated microservice. The auth service should be distributed and highly available. KeyCloak is one option for this authentication microservice.
User authentication is handed off to the KeyCloak microservice and client-side web apps and mobile apps consume tokens or sessions (OpenID Connect, OAuth 2.0, etc). KeyCloak also supports two factor authentication, for those applications needing a higher level of security.
KeyCloak comes out of the box with HA clustering (based on Infinispan) as well as client adapters. The client adapters make it easy for your application to tie into KeyCloak. There are some pretty great quickstarts for this. In addition, it has a plugin interface (SPIs) for further customizing your authentication system. Furthermore, KeyCloak also supports social authentication with a full range of identity providers (Facebook, Google, etc).
For the back-end user stores, you can consume existing stores, such as IdM, LDAP or Active Directory. You can also define your own user provider and do whatever makes sense for your organization.
Steven's demo application is at https://bit.ly/j1ddgen, if you wish to play around a bit. Granted, Steven might shut down the Registration process after this session. At the very least, you can view the awesome theme.
KeyCloak and Red Hat SSO really do make it easy to roll out an authentication and authorization for your services or website. If you have not checked it out, do yourself a favor and spend some time with it.
About the Author
Brian J. Atkisson is a Senior Principal Systems Engineer and the technical lead on the Red Hat IT Identity and Access Management team. He has 18 years of experience as a Systems Administrator and Systems Engineer, focusing on identity management, virtualization, systems integration, and automation solutions. He is a Red Hat Certified Architect and Engineer, in addition to his academic background in Biochemistry, Microbiology and Philosophy.Last updated: March 15, 2023