Identity: who am I
Access: what can I do
For people, machines, apps...
Standard for authentication and authorization
Based around signed tokens
Adopted by major actors (public & private)
Access token / Refresh token
Access token grants access to ressources
Refresh token allows user to renew the access
What are claims?
Who you are
What you can do (groups, roles, ...)
No need to register in the your app first!
How is that "more" secure?
Password goes to a single app (idp)
Only claims get out of the idp
End application does not have your password
Token has short expiry
Keycloak allows easy audit and centralize
advanced auth mechanism
A Red Hat Open Source project
Identity and Access management
OpenID Connect support (but also saml 2.0)
What is Keycloak really
A java app
A Wildfly application server
(comes as a single package - batteries
Realm: set of users, roles, clients, and groups
Client: a client application that will use
keycloak to authenticate users
idp: Identity Provider
Not all applications support OpenID connect
Gatekeeper is a OIDC compatible reverse proxy
Login with external sources (github, google,
Get claims back from them
Connect Keycloak with LDAP, freeipa, kerberos...
Creative Commons Zero https://www.flickr.com/photos/freestocks/25668265836