Recently, I want to get through the user relationship of several applications, and make a centralized user management system to centrally manage the user system of applications. Research led to Red Hat’s open source Keycloak, a powerful unified authentication and authorization management platform. Keycloak was selected for several reasons.

Ease of use

Keycloak provides a one-stop single sign-on solution for Web applications and Restful services. Its goal is to make it easy to manage application security and make it easy for developers to secure their applications and services. And Keycloak provides a visual management interface for login, registration, and user management that you can use to configure security policies and user management to suit your needs. And it’s okay

powerful

Keycloak implements common authentication and authorization protocols and common security technologies:

  • Single sign-on (SSO) for browser applications.
  • OIDC authentication and authorization.
  • The 2.0.
  • SAML.
  • Multi-tenant support.
  • Identity Broker – Use an external OpenID Connect or SAML identity provider for authentication.
  • Third party login.
  • User Federation – Synchronizes users from LDAP and Active Directory servers.
  • Kerberos bridge – Automatically authenticates users logging in to the Kerberos server.
  • Administrative console for centralized management of users, roles, role mappings, clients, and configurations.
  • Administrative console for centralized management of user accounts.
  • Custom themes.
  • Two-piece authentication.
  • Complete login process – optional user self-registration, password recovery, verifying email, requiring password updates, etc.
  • Session management – Administrators and users themselves can view and manage user sessions.
  • Token mapping – Maps user attributes, roles, and so on to tokens and statements.
  • Security policy recovery function.
  • CORS Support – The client adapter has built-in support for CORS.
  • Customize the SPI interface extension.
  • JavaScript applications, WildFly, JBoss EAP, Fuse, Tomcat, Jetty, Spring, and other client adapters.
  • Support any platform/language that has the OpenID Connect functionality Party library or SAML 2.0 Service Provider library.

In addition, there is a dedicated Spring Boot Starter, which is very easy to integrate into Spring Boot.

Practice based open source

Red hat production, must be a boutique. Red Hat’s reputation determines the reliability of Keycloak. It follows the Apache 2.0 open source protocol for open source, after eight years of continuous open source, the code quality is very high, very suitable for customized development. Red Hat SSO, Red Hat’S commercial paid authentication and authorization product, is based on Keycloak. Providing a dynamic single sign-on solution for enterprises indirectly proves Keycloak’s reliability.

Adapter Spring Security

The framework is adapted to Spring Security and Spring Boot and is well suited for migration extensions that use both systems. This is also one of the important reasons for me to choose it.

disadvantages

Although the advantages are many, the disadvantages are also obvious. Powerful means more complex architecture, more concepts, and higher learning costs.

Another reason for the high cost of learning is that there are few Chinese materials, so you have to go through the official documents by yourself. For the authentication mode required by the business, some interfaces may need to be implemented, which also tests the coding ability of individuals.

The last

Fat brother has been paying attention to this thing for a long time, but he did not start, first, because it is really challenging, second, there is no actual development scenario, now the opportunity comes, today to this framework for a simple introduction, let the students who do not know it first have a brief understanding. If you do a thorough study and practice of Keycloak, you should be able to address some of the challenges and pitfalls of building a large and medium-sized app security architecture. In addition, this program is suitable for unified authentication and authorization portal building, not suitable for some small applications, relatively heavy, but microservices should be very good with this. This is a good choice at the moment when the new Spring authentication server is not ready for production. So the follow-up will study and learn this thing with you, interested friends can pay more attention to: code farmer little fat brother.

Follow the official account Felordcn for more information

Personal blog: https://felord.cn