rishabhpoddar
commented
3 years ago See the answers for SuperTokens here
Describe the dev setup experience (how many steps and what are they + time overall)
-
Setting up the keycloak server through the getting started guide is quick.
-
The next parts of the guide go into granular detail of server installation which is very overwhelming. It mentions multiple ways to startup the server, mentioning multiple “operating modes” to run it, clustering, database and network setup and downloading additional tools for more configuration…
-
It was easier to google for a third party tutorial showing how to set it up for my particular tech stack which was node and react.
-
I could then log into the keycloak dashboard and started configuring my app
-
Total time taken for configuration was about 10 mins. This includes setting up the realm, with signin/sign up, email verification.
-
There are alot of customizations available and it was alot to take in and go through...
-
Setting up an email for email verification and password reset requires you to set up smtp mail. No in-built or out-of-the-box solution.
-
Setting up Social Providers seems simple, for setting up google, had to put the clientid and client secret, some configuration so it could work on my local setup but no other issues with social login.
-
Setup keycloak in the react app according to the tutorial. Seems easy with minimum configs as the most configuration is done in the dashboard.
Can you easily add a custom social provider?
Flow for setting up Google and Facebook:
- Generate the client secret and client id from you google app
- Add google as a provider from the Identity provider tab on the dashboard
- add the generated client secret and client id
The dashboard has extensive customization options(setting a custom login flow, setting scopes etc..)
- By default keycloak supports most social providers. Additional custom Identity providers can be added from the dashboard if they fall under the SAML or Open ID connect protocols. There seem to be incompatibility issues with login with apple though, sign in with apple uses some params of the OIDC spec which is not commonly used and keycloak's built in OIDC implementation does not support it yet. Keycloak also has Service Provider Interfaces, this allows users to add custom code to support custom identity providers. Ease of implementation: 4/5
How do go about sending emails yourself if you want to?
Keyclaok is not able to send emails by default but requires you to use a smtp mail server.
Flow for setup using zoho mail:
- got the smtp URL from zoho
- add the correct port
- added my zoho mail credentials Ease of implementation 5/5
How to implement sign out functionality?
- The keycloak object on your frontend has a logout function Ease of implementation: 5/5
Can sessions be used with httpOnly cookies?
- You can, I was following this discussion and you need to check the enable SSL option for secure cookie to be set
How can we go about customising the UI? From colours to full customisation
How to go about customising the email design and or the sender's domain?
- Keycloak allows for full customization of the UI but this customization is not user-friendly. There is no method of customizing the ui from keycloaks dashboard, you can only set what theme you would like to apply. If you want to customize a theme you need to create a custom theme as according to the documentation you should not make any changes to the default themes. To create a custom theme you need to navigate to the keycloak/theme directory and create your custom theme file there. Most tutorials recommend copying the contents of one the base themes into your custom theme directory and then start making changes. Each theme has an individual directory responsible for a certain category, for example, there is a login directory that contains all the properties for the login, otp, registration, forgot password UI, an email directory containing all the content (messages/subject) which would be sent for emails. I started checking out the customization for the login screen, there is a css file I can change which allows me to change all the properties of the elements shown on the login screen.
- The senders domain can be customized from the keycloak dashboard Ease of implementation: 1/5
How would adding custom sign up fields work?
- Adding custom fields to the registration form also has to be done through a custom theme. The base theme which all other themes extend contains a configuration for what fields are shown on the registration form. We can add additional fields to this configuration. The theme configuration for the account management page in the keycloak dashboard has to be updated so it can now display the new fields. Detailed info about the additional configuration can be found here Ease of implementation: 1/5
How would adding custom sign up validators work?
- Keycloak has a set of authentication flows defined. Ex. Registration is an authentication flow which consists of a series of actions(Registration User Creation, Password Validation etc...). To create custom signup validators, i would have to create a new Authentication flow which would be a copy of the original Registration flow(Can be easily done through the dashboard) and add a custom action to the new flow. To create the custom action requires you to write Java code that implments some keycloak interfaces where you define you custom validation. You need to then build this into a JAR file and add it to a specific directory in your keycloak installation. Ease of implementation: 1/5
Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)
Changing the password validation in one flow will not affect another flow. If one wants these changes to propagate to other custom flows we would need to create the custom action(password validation in this case) and use it in place of the default action in all Authentication flows
If someone wants to tweak the sign up / sign in APIs, how can they do that?
How do we do things like handle sign up success?
- It's possible to do so but this would involve similar steps to adding custom validation. In keycloak Registration flow is comprised of a series of actions as mentioned above. You can create a copy of actions in the base registration flow, modify the User Creation action and apply the action to the Registration flow. Similarly an additional action can be created to take place after user registration. Ease of implementation: 1/5
How to implement revoking a user's session functionality?
- The user's session can be revoked by calling the keycloak logout menthod on the frontend. This will clear the auth cookies on the browser and invalidate the refresh token. On the backend a all user sessions can be revoked using the user id, a single user session can be revoked using a session id can be revoked or all users can be logged out. Ease of implementation: 5/5
What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?
- Haven't found information about people embedding keycloak into their webpage. What some people have suggested is using their own project login ui and calling keycloak's authorization/authentication apis as mentioned in this comment. This method has difficulties in implementing the OTP and social login features though.
If one needs to do something like paginating across all users in the app in their API, how can they do that?
- Keycloaks backend admin client for node allows you to query information about users. Information can be retrieved with multiple filters including realm, email, first(id of the user), max (number of users to return), etc.. The issue is the lack of documentation regarding the library. There is in-depth information/ descriptions about the API spec so it's annoying to figure out the what are the inputs to the attribues. 3/5
Keycloak allows for pagination and has an api that you can use to query for paginated user data. It takes to query parameters, first and max. first is the element id and max is the number of elements to return. More info can be found here
Social account consolidation?
For social account consolidation, how does changing the email work.
How does changing the email for social providers work?
Testing social account consolidation:
- Setup social login with Google and Facebook
- logged in with google and then Facebook with the same email address
- when logging in with Facebook a pop-up appears saying that an account with this email already exists
- it gives you options to revise account details and merge accounts.
- when reviewing account details you can change the username, email id, first name, and last name.
- If you set a new username and email id it will now create a new account associated with that identity provider
- If you decide to merge accounts, now when logging in via either the Google or Facebook account we now get the same account
Will their solution work with serverless env like in nextjs or netlify?
Keycloak has no native support for react and ssr, there is a third party library which uses the javascript client adapter and allows for ssr. Used the third party library, There is almost no documentation, had to set it up using the example provided in the github repo.
How would one go about exposing their keycloak instance to the internet and securing that? Some person had said they required to use some oauth proxy or something which made it complex.. not sure.
You can expose keycloak to the internet and secure it using a reverse proxy. Ive seen people using Apache and NGINX to reverse proxy to keycloak. The tutorial I checked for using NGINX with keycloak had no mention of using an oauth proxy.
Setting up for the two use cases of multi tenancy?
Keycloak supports the first case of multi-tenancy one login with multiple subdomains. Each tenant will be assigned its own realm and during authentication you can decide how to redirect the user. An example of a keycloak multi tenant app can be found here. I havent seen implementations of the second case of having one login per subdomain. There are some issues with this above method as if your single keycloak instance has more than 100 realms then it starts having instability issues(taking more time to respond to requests) and having more than 400 realms can cause keycloak to become unresponsive and crash.
sharing session across sub domains
Test sharing across subdomains:
- set a.example.com and b.example.com to point to localhost in /etc/hosts
- Logged into a.example.com
- changed URL to b.example.com
- There is a redirect to the keycloak auth server but the user is automatically logged in.
What are the supported databases?
- Oracle Database
- Microsoft SQL Server Database
- MySQL Database
- PostgreSQL Database
Documentation review
- The Keycloak quickstart is quick and easy to follow but that just involves setting up and configuring the keycloak server, for actually configuring keycloak in your app you will have to follow the main documentation. The main documentation really overwhelming to go through with a lot of configuration options mentioned, also the documentation for client adapters is minimal, for example, the nodejs admin client adapter has no documentation on the official documentation page and the readme for the library on github gives minimum information
Email verification with Social providers, how does it work
- When email verification is enabled in the dashboard, when a user signs in/registers with a social provider they get redirected to a page that prompts the user to check their mail and clink on the link.
- I set up google as a social provider and tested the flow, on signing in it sent an email to my gmail account with a verification link.
Revoke session between your frontend and backend, how does it work
logout function on the front-end will invalidate the refresh session token for authentication with the back end. On the backend the admin library can be used to revoke sessions
User has multiple sessions, only want to revoke a couple of them, how does that work
- on the backend the admin library can revoke sessions using a session id, you can retrieve all the session information belonging to a user and revoke the required session
How does load balancing work in keycloak with multiple instances
- Keycloak has a built-in load balancer that acts as a reverse proxy between the keycloak instances. It uses the master-slave concept with you setting up one keycloak instance as the master which contains the main configuration and slave instances that inherit the configuration from the master instance. You need to first create a user which has a realm management role, then run the start-up script with the user credentials and the master flag, for the slave instances run the startup script with the user credentials and the slave flag.
if you want to add a password strength meter to registration, how does it work
I haven't seen any implementation of changing GUI in the login screen, the only things I've seen people do is write hooks that would display a custom message when input was given to a form field.
How does Keycloak Database sharding work?
They do not mention database sharding in their docs. I found one person online asking about database sharding in keycloak but there were no answers.
User pagination use API, what is the output, if user is using social login, what is the output, what is the user object returned.
social login user
{"id":"b49669d0-b88e-40c7-a546-241edf83b0ff","createdTimestamp":1615291348730,"username":"johnDoe@gmail.com","enabled":true,"totp":false,"emailVerified":true,"firstName":"john","lastName":"Doe","email":"johndoe@gmail.com","disableableCredentialTypes":[],"requiredActions":[],"notBefore":0,"access":{"manageGroupMembership":true,"view":true,"mapRoles":true,"impersonate":true,"manage":true}}
email password user
{"id":"7b772aff-b118-417f-a8f5-448f2689f2a1","createdTimestamp":1615208135285,"username":"johnDoe","enabled":true,"totp":false,"emailVerified":true,"firstName":"John","lastName":"Doe","email":"johnDoe@gmail.com","disableableCredentialTypes":[],"requiredActions":[],"notBefore":0,"access":{"manageGroupMembership":true,"view":true,"mapRoles":true,"impersonate":true,"manage":true}}
If a session expires is there a pop-up? does the user have to handle it?
There is no session expires pop up when the frontend access token expires the frontend has to refresh the session.
RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.
- Create roles and assign them to users(easily done through the dashboard)
Frontend
- On your front end after authentication happens store(up to the user to decide where to store it) the access token retrieved from the keycloak object.
- create an axios interceptor to add the access token to the Authorization header for requests to the backend.
Backend
- Initialize keycloak on the backend(one of the recommended methods for setup was not working at all, had to manually setup the config)
- you can protect your routes by adding keycloak.protect("role") as a middleware to the route
What are the differences between keycloak realm roles and client roles?
Keycloaks roles can be created as a realm role which is the global namespace and client roles that are specific to the application.
implementation with ssr
Using the @react-keycloak/ssr to setup a nextjs app with keycloak. I Flow Click on the login button, redirects you the keycloak login page enter account credentials On redirection the ssr library will set the access token cookies in the browser Refresh tokens seem to automatically refreshed kcToken decoded payload:
{ "exp": 1617188790, "iat": 1617188490, "auth_time": 1617187986, "jti": "fedd20ef-ce34-43bc-bea2-e3ab005e149a", "iss": "http://localhost:8080/auth/realms/Keycloak-Demo", "aud": "account", "sub": "f78d9978-8f96-40f3-9e48-57e481ca64ae", "typ": "Bearer", "azp": "nextjs-frontend", "nonce": "ffadcd8a-27bd-4ba2-8d62-14eea49981de", "session_state": "eabd12a8-7529-4a66-b908-4eaddae71658", "acr": "0", "allowed-origins": [ "*" ], "realm_access": { "roles": [ "offline_access", "admin", "uma_authorization", "user" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid profile email", "email_verified": false, "name": "johndoe", "preferred_username": "johndoe@gmail.com", "given_name": "john", "family_name": "Doe", "email": "johnDoe@gmail.com" }
kcIdToken decoded payload:
{ "exp": 1617188790, "iat": 1617188490, "auth_time": 1617187986, "jti": "42e254cc-f7ea-4572-87d3-20b11f42c2c7", "iss": "http://localhost:8080/auth/realms/Keycloak-Demo", "aud": "nextjs-frontend", "sub": "f78d9978-8f96-40f3-9e48-57e481ca64ae", "typ": "ID", "azp": "nextjs-frontend", "nonce": "ffadcd8a-27bd-4ba2-8d62-14eea49981de", "session_state": "eabd12a8-7529-4a66-b908-4eaddae71658", "at_hash": "uxVNHLsPyX-8Zem6_s7OAg", "acr": "0", "email_verified": false, "name": "johnDoe", "preferred_username": "johnDoe@gmail.com", "given_name": "john", "family_name": "Doe", "email": "johnDoe@gmail.com" }
How to set roles for a user on the backend and how to set multiple roles for a user.
- The keycloak admin node library gives you access to functions that allow you to perform the same actions as if you were using the dashboard. This includes creating roles and assigning them to users. A role can be set/updated for a user using the users.update command from the keycloakAdmin object that allows you to update the users profile including adding additional roles, updating the profile(first name/last name), etc...
Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?
- Keycloaks javascript adapter is genric and is to be used with any javascript framework(react, angular, pure javascript...) so there is no native support or react built in, like no react components. I followed along a tutorial that used the javascript adapter to make components to secure routes, automatically refresh sessions, and redirect to the auth page on session expiry. The tutorial isnt very hard to follow, the only issue is that there is no other of this method and no documentation mentions how to do it this way. 2/5
Keycloak mobile implementation, IOS and Android
- Keycloak doesn't have native client adapters for IOS and Android. In their documentation, they mention support for android and ios through app auth, an sdk for communicating with OpenID Connect and OAuth 2.0 providers. The issue is that there is almost no proper documentation for how to implement keycloak with app auth.
email verification not switched on, the user signs up and in and doesn't have to verify, later on, verification is turned on later, on signing in now is the user prompted to verify the email?
Yes, the user is prompter to verify the email. One possible issue is that now if email verification is turned off then the user is still prompted to verify his email every time he tries to log in. This is because as soon email verification was turned on, "verify email" was assigned to the user as a "required action" (ex. Update Profile, Terms and Conditions, Configure OTP, etc...), When email verification was turned off "verify email" "required action" was not removed from the user.
Email is not verified but password reset is done, does that verify email?
When email verification is turned off resetting your password does not verify the email. When email verification is turned on and you click on the password reset link, it redirects you to the email verification screen. On clicking the email verification link you continue with the password reset flow and are able to reset your password.
Community (mainly for nextjs)
Keyclokas main focus seems to be centered around java enterprise applications. Most of the documentation is focused on configuring keycloak and support for java ee apps. The official document support for other language adapters is limited and for certain tech stacks, you have to rely on community integration, like the ssr keycloak library. The problem that I encountered is that there is not a large enough community using keycloak as an auth solution for their nextjs app so finding support for some of the questions I had was almost impossible due to limited questions from being asked on forums, a nonengaging Reddit community and there no discord communities which specifically discuss keycloak ssr.
How well do they support various platforms and SDKs?
Good support( Complete Documentation, examples, active community) Java: JBoss EAP, WildFly, Fuse, Tomcat, Jetty 9, Servlet Filter, Spring Boot, Spring Security JavaScript (client-side): JavaScript Node.js (server-side): node adapter
No keycloak sdks(used as a generic OIDC provider) C#: OWIN (community) Python: oidc (generic) Android: AppAuth (generic) iOS: AppAuth (generic) Apache HTTP Server: mod_auth_openidc
The documentation for the node management API's was very lacking.
What are features that they provide that we don't?
Dashboard for managing your app
Keycloaks dashboard is extensive, allowing customization for most of the aspects of the app Users can be created, roles and user groups can be created and assigned, Social Providers can be added
Role-based access control.
Required actions: ability to assign actions like Update Profile, Terms and Conditions, Configure OTP, etc to users whenever they log in.
More supported Social Providers.
2-factor auth
User Federation
Support for LDAP and Active Directory
How does keycloak allow users to use pre-populated databases with userinfo.(callbacks for api's, transactions?)
- Keycloak provides a userStorage SPI which allows you to connect to a custom database with user data.
- T hese contain functions for querying users, verifying credentials etc.
- After writing and building the module it needs to be added to your keycloak install.
- In the keycloak dashboard you will have to add the new auth flow
How to disallow sign up and only have sign in?
The Dashboard provides an option to disable sign ups.
Does it provide Email OTP as a feature?
There is no Email OTP feature, OTP in keycloak uses password generators like google authenticator and is used for 2fa with something like a mobile device
Can a user be re-authenticated when visiting a protected route?
This doesn't seem to be a feature keycloak offers in its sdk and it seems to be up to the user to implement. Their docs mention the setting a param in the initial auth request to always show the login page even if the user is authenticated, but they also say that this currently doesnt work,
What is Keycloak Gatekeeper?
They seemed to have removed all docs about Gatekeeper. Originally as mentioned in this forum post the docs described Keycloak Gatekeeper to be the go lang adapter but it is actually an authentication proxy to be used when your app/lib doesn’t support grant code flow, but it is able to read user identity from request headers. This was a community project which seems to be deprecated
Changing Email for social provider, how it works
Keycloak doesn't provide a flow for changing emails. They do provide an endpoint for updating emails in their management API. The users in this forum post mention issues implementing an email update flow
Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.
Keycloak allows you to completely customize the login widget and auth flows so it should be possible to make this change, I haven't seen anyone in the community ask for this feature though or implement it.
jscyo
Questions