{"id":51455,"date":"2025-08-11T09:03:49","date_gmt":"2025-08-11T09:03:49","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=51455"},"modified":"2025-08-11T09:03:49","modified_gmt":"2025-08-11T09:03:49","slug":"keyclock-a-identity-sso-tools","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/keyclock-a-identity-sso-tools\/","title":{"rendered":"Keyclock: A Identity & SSO tools"},"content":{"rendered":"\n

Keycloak: Identity & SSO Tool (IAM in one box)<\/h1>\n\n\n\n

What it is<\/h2>\n\n\n\n

Keycloak is an open-source Identity and Access Management (IAM) platform that provides Single Sign-On (SSO)<\/strong>, user federation<\/strong>, identity brokering<\/strong>, and fine-grained authorization<\/strong> for web, mobile, and APIs. It implements open standards: OpenID Connect (OIDC)<\/strong>, OAuth 2.0<\/strong>, and SAML 2.0<\/strong>.<\/p>\n\n\n\n

Core concepts (quick map)<\/h2>\n\n\n\n
    \n
  • Realm<\/strong>: Isolation boundary (tenants). Users, clients, and roles live inside a realm.<\/li>\n\n\n\n
  • Client<\/strong>: An app (web, SPA, mobile, API) that uses Keycloak for login or token issuing.<\/li>\n\n\n\n
  • Users \/ Groups<\/strong>: Identities and their organization.<\/li>\n\n\n\n
  • Roles<\/strong>: Permissions attached to users\/groups (realm roles) or to specific clients (client roles).<\/li>\n\n\n\n
  • Mappers<\/strong>: Add custom claims (e.g., roles, email) into tokens.<\/li>\n\n\n\n
  • Identity Providers (IdP)<\/strong>: External SSO sources (e.g., Google, Azure AD); Keycloak can broker<\/strong> them.<\/li>\n\n\n\n
  • Federation<\/strong>: Sync users from LDAP\/AD.<\/li>\n<\/ul>\n\n\n\n

    What problems it solves<\/h2>\n\n\n\n
      \n
    • Centralized login across many apps (SSO)<\/li>\n\n\n\n
    • Standards-based auth for SPAs, mobile apps, and microservices<\/li>\n\n\n\n
    • RBAC via realm\/client roles in JWTs<\/li>\n\n\n\n
    • Social\/enterprise login without custom code<\/li>\n\n\n\n
    • Admin UI + Admin REST API for automation<\/li>\n<\/ul>\n\n\n\n

      Common architectures<\/h2>\n\n\n\n
        \n
      1. Web app<\/strong> \u2192 OIDC Authorization Code + PKCE (server session)<\/li>\n\n\n\n
      2. SPA + API<\/strong> \u2192 SPA gets tokens from Keycloak; API validates JWT (bearer-only)<\/li>\n\n\n\n
      3. Gateway\/Proxy<\/strong> \u2192 oauth2-proxy\/ingress handles OIDC, passes user headers to apps<\/li>\n\n\n\n
      4. B2E<\/strong> with LDAP\/AD \u2192 user federation + SSO to internal apps<\/li>\n\n\n\n
      5. B2C<\/strong> \u2192 social logins, self-service registration, custom themes<\/li>\n<\/ol>\n\n\n\n

        Why teams choose Keycloak<\/h2>\n\n\n\n
          \n
        • Open-source, no per-user fees<\/li>\n\n\n\n
        • Full control: self-hosted (VMs, containers, Kubernetes Operator)<\/li>\n\n\n\n
        • Extensible (themes, custom providers, hooks)<\/li>\n\n\n\n
        • Strong standards support and ecosystem<\/li>\n<\/ul>\n\n\n\n

          Quick start (local)<\/h2>\n\n\n
          docker run -p 8080<\/span>:8080<\/span> \\\n  -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n  quay.io\/keycloak\/keycloak:latest start-dev\n# Admin console: http:\/\/localhost:8080<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
            \n
          1. Create a realm<\/strong><\/li>\n\n\n\n
          2. Add a client<\/strong> (e.g., your app)<\/li>\n\n\n\n
          3. Configure redirect URIs<\/strong> and web origins<\/strong><\/li>\n\n\n\n
          4. Create users\/roles<\/strong> and add mappers<\/strong> for roles \u2192 tokens<\/li>\n<\/ol>\n\n\n\n
            Integration patterns (at a glance)<\/h2>\n\n\n\n
              \n
            • Laravel (SSR)<\/strong>: OIDC Authorization Code + PKCE via Socialite + Keycloak provider; map Keycloak user \u2192 local user; optional SSO logout via end_session endpoint.<\/li>\n\n\n\n
            • Laravel API<\/strong>: Bearer-only; validate JWT signature via realm JWKS; read roles from realm_access<\/code> \/ resource_access<\/code>.<\/li>\n\n\n\n
            • Node\/React\/Vue<\/strong>: Use official Keycloak JS adapter or generic OIDC libraries.<\/li>\n\n\n\n
            • Kubernetes<\/strong>: Run Keycloak via Operator; front apps with oauth2-proxy or Envoy\/OIDC filter.<\/li>\n<\/ul>\n\n\n\n
              Security & ops checklist<\/h2>\n\n\n\n
                \n
              • Enforce PKCE<\/strong> and HTTPS<\/strong> everywhere<\/li>\n\n\n\n
              • Rotate admin creds; restrict admin console access<\/li>\n\n\n\n
              • Set token lifetimes and reuse detection; enable Front-Channel Logout<\/strong> if needed<\/li>\n\n\n\n
              • Back up realm exports; use Infrastructure-as-Code for realms\/clients<\/li>\n\n\n\n
              • Monitor with health endpoints; scale with stateless pods + external DB<\/li>\n<\/ul>\n\n\n\n
                Theming & UX<\/h2>\n\n\n\n
                  \n
                • Customize login\/registration\/forgot-password pages with themes<\/li>\n\n\n\n
                • Localize strings; inject branding and CSS without forking core<\/li>\n<\/ul>\n\n\n\n
                  When to consider alternatives<\/h2>\n\n\n\n
                    \n
                  • You need a fully managed SaaS (Auth0, Okta, Azure AD B2C)<\/li>\n\n\n\n
                  • Strict enterprise compliance + support SLAs without self-hosting<\/li>\n<\/ul>\n\n\n\n
                    \n\n\n\n
                    <\/p>\n\n\n\n
                    \n