Keycloak
Keycloak is open source Identity and Access Management solutions developed by RedHat. Just like any other IAM system Keycloak supports SAML,OpenID, Oauth and also provides good user management support for any application. It also has adapters in different programming languages that lets you customise the behaviour if you want to do so.
Supporting federation protocol is cool, however what makes keycloak cooler is the user management. It simplifies a lot of user login features to just enabling some sliders and checkboxes. Suppose you would like to enable forgot password on the default login page, all you have to do is just select the slider for “forgot password “ and you would see a forgot password link on the login page along with email capabilities. This is just one of the many things that keycloak does. Over the series of posts I will go deeper into the concepts. For now, Let’s run it for the first time and explore.
I like using docker for any experiment, it makes life easier. Therefore I am going to use the docker image of keycloak for this. Below is the docker file you would need to use to start a keycloak. In the docker file you can see that I have a Keycloak image itself and also Postgres database for Keycloak storage. This is where all the users and clients are stored.
version: "3"
volumes:
mysql_data:
driver: local
services:
mysql:
image: mysql:latest
volumes:
- mysql_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
keycloak:
image: jboss/keycloak
environment:
DB_VENDOR: MYSQL
DB_ADDR: mysql
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: Pa55w0rd
#JDBC_PARAMS: "connectTimeout=30000"
ports:
- 8080:8080
depends_on:
- mysql
Once the container start navigate to http://localhost:8080 and you should see below keycloak screen
image
If you want to straight up go to the console then click Administrator Console and give the username and password mentioned in the docker file above. Username: admin and password Pa55w0rd
Before we dive in to keycloak working, you have to understand the Realms. Realms in keycloak are the logical separations that are managed separately. Let’s say you want to create an app foo realm. User and clients that you create in that realm remain accessible only through that realm. You can add multiple realms.. You can see them as tenants. Ever realm has their own admins. However by default you have Master realm that can have its own user who can manage other realms. After you login in the previous screen navigate to the top left corner to find the downward arrow and “Add Relam” section. Give any name you like.
After you hit create, you will see a new realm created. For example, I created a “one piece” realm. Any user,client,configuration i make in this realm will stay in this realm and are accessible only by either master realm user or users of “onepiece” realm. If you explore around the realm configuration you will learn many things like the change name and templates etc.
I will stop here for now, In upcoming posts I will detail protocol wise to understand the keycloak better. I will also add a post on how to access admin api using inbuilt roles of keycloak. Which would cover many details.in next post I will describe how to access the keycloak admin api using in-built roles.
-Sandeep