Open rishabhpoddar opened 3 years ago
Setting up the keycloak server through the getting started guide is quick.
The next parts of the guide go into granular detail of server installation which is very overwhelming. It mentions multiple ways to startup the server, mentioning multiple “operating modes” to run it, clustering, database and network setup and downloading additional tools for more configuration…
It was easier to google for a third party tutorial showing how to set it up for my particular tech stack which was node and react.
I could then log into the keycloak dashboard and started configuring my app
Total time taken for configuration was about 10 mins. This includes setting up the realm, with signin/sign up, email verification.
There are alot of customizations available and it was alot to take in and go through...
Setting up an email for email verification and password reset requires you to set up smtp mail. No in-built or out-of-the-box solution.
Setting up Social Providers seems simple, for setting up google, had to put the clientid and client secret, some configuration so it could work on my local setup but no other issues with social login.
Setup keycloak in the react app according to the tutorial. Seems easy with minimum configs as the most configuration is done in the dashboard.
Flow for setting up Google and Facebook:
The dashboard has extensive customization options(setting a custom login flow, setting scopes etc..)
Keyclaok is not able to send emails by default but requires you to use a smtp mail server.
Flow for setup using zoho mail:
Changing the password validation in one flow will not affect another flow. If one wants these changes to propagate to other custom flows we would need to create the custom action(password validation in this case) and use it in place of the default action in all Authentication flows
Keycloak allows for pagination and has an api that you can use to query for paginated user data. It takes to query parameters, first and max. first is the element id and max is the number of elements to return. More info can be found here
Testing social account consolidation:
Keycloak has no native support for react and ssr, there is a third party library which uses the javascript client adapter and allows for ssr. Used the third party library, There is almost no documentation, had to set it up using the example provided in the github repo.
You can expose keycloak to the internet and secure it using a reverse proxy. Ive seen people using Apache and NGINX to reverse proxy to keycloak. The tutorial I checked for using NGINX with keycloak had no mention of using an oauth proxy.
Keycloak supports the first case of multi-tenancy one login with multiple subdomains. Each tenant will be assigned its own realm and during authentication you can decide how to redirect the user. An example of a keycloak multi tenant app can be found here. I havent seen implementations of the second case of having one login per subdomain. There are some issues with this above method as if your single keycloak instance has more than 100 realms then it starts having instability issues(taking more time to respond to requests) and having more than 400 realms can cause keycloak to become unresponsive and crash.
Test sharing across subdomains:
logout function on the front-end will invalidate the refresh session token for authentication with the back end. On the backend the admin library can be used to revoke sessions
I haven't seen any implementation of changing GUI in the login screen, the only things I've seen people do is write hooks that would display a custom message when input was given to a form field.
They do not mention database sharding in their docs. I found one person online asking about database sharding in keycloak but there were no answers.
social login user
{"id":"b49669d0-b88e-40c7-a546-241edf83b0ff","createdTimestamp":1615291348730,"username":"johnDoe@gmail.com","enabled":true,"totp":false,"emailVerified":true,"firstName":"john","lastName":"Doe","email":"johndoe@gmail.com","disableableCredentialTypes":[],"requiredActions":[],"notBefore":0,"access":{"manageGroupMembership":true,"view":true,"mapRoles":true,"impersonate":true,"manage":true}}
email password user
{"id":"7b772aff-b118-417f-a8f5-448f2689f2a1","createdTimestamp":1615208135285,"username":"johnDoe","enabled":true,"totp":false,"emailVerified":true,"firstName":"John","lastName":"Doe","email":"johnDoe@gmail.com","disableableCredentialTypes":[],"requiredActions":[],"notBefore":0,"access":{"manageGroupMembership":true,"view":true,"mapRoles":true,"impersonate":true,"manage":true}}
There is no session expires pop up when the frontend access token expires the frontend has to refresh the session.
Frontend
Backend
Keycloaks roles can be created as a realm role which is the global namespace and client roles that are specific to the application.
Using the @react-keycloak/ssr to setup a nextjs app with keycloak. I Flow Click on the login button, redirects you the keycloak login page enter account credentials On redirection the ssr library will set the access token cookies in the browser Refresh tokens seem to automatically refreshed kcToken decoded payload:
{ "exp": 1617188790, "iat": 1617188490, "auth_time": 1617187986, "jti": "fedd20ef-ce34-43bc-bea2-e3ab005e149a", "iss": "http://localhost:8080/auth/realms/Keycloak-Demo", "aud": "account", "sub": "f78d9978-8f96-40f3-9e48-57e481ca64ae", "typ": "Bearer", "azp": "nextjs-frontend", "nonce": "ffadcd8a-27bd-4ba2-8d62-14eea49981de", "session_state": "eabd12a8-7529-4a66-b908-4eaddae71658", "acr": "0", "allowed-origins": [ "*" ], "realm_access": { "roles": [ "offline_access", "admin", "uma_authorization", "user" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid profile email", "email_verified": false, "name": "johndoe", "preferred_username": "johndoe@gmail.com", "given_name": "john", "family_name": "Doe", "email": "johnDoe@gmail.com" }
kcIdToken decoded payload:
{ "exp": 1617188790, "iat": 1617188490, "auth_time": 1617187986, "jti": "42e254cc-f7ea-4572-87d3-20b11f42c2c7", "iss": "http://localhost:8080/auth/realms/Keycloak-Demo", "aud": "nextjs-frontend", "sub": "f78d9978-8f96-40f3-9e48-57e481ca64ae", "typ": "ID", "azp": "nextjs-frontend", "nonce": "ffadcd8a-27bd-4ba2-8d62-14eea49981de", "session_state": "eabd12a8-7529-4a66-b908-4eaddae71658", "at_hash": "uxVNHLsPyX-8Zem6_s7OAg", "acr": "0", "email_verified": false, "name": "johnDoe", "preferred_username": "johnDoe@gmail.com", "given_name": "john", "family_name": "Doe", "email": "johnDoe@gmail.com" }
Yes, the user is prompter to verify the email. One possible issue is that now if email verification is turned off then the user is still prompted to verify his email every time he tries to log in. This is because as soon email verification was turned on, "verify email" was assigned to the user as a "required action" (ex. Update Profile, Terms and Conditions, Configure OTP, etc...), When email verification was turned off "verify email" "required action" was not removed from the user.
When email verification is turned off resetting your password does not verify the email. When email verification is turned on and you click on the password reset link, it redirects you to the email verification screen. On clicking the email verification link you continue with the password reset flow and are able to reset your password.
Keyclokas main focus seems to be centered around java enterprise applications. Most of the documentation is focused on configuring keycloak and support for java ee apps. The official document support for other language adapters is limited and for certain tech stacks, you have to rely on community integration, like the ssr keycloak library. The problem that I encountered is that there is not a large enough community using keycloak as an auth solution for their nextjs app so finding support for some of the questions I had was almost impossible due to limited questions from being asked on forums, a nonengaging Reddit community and there no discord communities which specifically discuss keycloak ssr.
Good support( Complete Documentation, examples, active community) Java: JBoss EAP, WildFly, Fuse, Tomcat, Jetty 9, Servlet Filter, Spring Boot, Spring Security JavaScript (client-side): JavaScript Node.js (server-side): node adapter
No keycloak sdks(used as a generic OIDC provider) C#: OWIN (community) Python: oidc (generic) Android: AppAuth (generic) iOS: AppAuth (generic) Apache HTTP Server: mod_auth_openidc
The documentation for the node management API's was very lacking.
Dashboard for managing your app
Keycloaks dashboard is extensive, allowing customization for most of the aspects of the app Users can be created, roles and user groups can be created and assigned, Social Providers can be added
Role-based access control.
Required actions: ability to assign actions like Update Profile, Terms and Conditions, Configure OTP, etc to users whenever they log in.
More supported Social Providers.
2-factor auth
User Federation
Support for LDAP and Active Directory
The Dashboard provides an option to disable sign ups.
There is no Email OTP feature, OTP in keycloak uses password generators like google authenticator and is used for 2fa with something like a mobile device
This doesn't seem to be a feature keycloak offers in its sdk and it seems to be up to the user to implement. Their docs mention the setting a param in the initial auth request to always show the login page even if the user is authenticated, but they also say that this currently doesnt work,
They seemed to have removed all docs about Gatekeeper. Originally as mentioned in this forum post the docs described Keycloak Gatekeeper to be the go lang adapter but it is actually an authentication proxy to be used when your app/lib doesn’t support grant code flow, but it is able to read user identity from request headers. This was a community project which seems to be deprecated
Keycloak doesn't provide a flow for changing emails. They do provide an endpoint for updating emails in their management API. The users in this forum post mention issues implementing an email update flow
Keycloak allows you to completely customize the login widget and auth flows so it should be possible to make this change, I haven't seen anyone in the community ask for this feature though or implement it.
Questions