A 25-day review and future efforts for NRI OpenStandia's Keycloak

Twenty-five days have passed in no time. Everyone, did you enjoy the article on Keycloak by OpenStandia? Today, I would like to briefly review the 25-day article, give a brief introduction to the actual project, and write what NRI OpenStandia is trying to do in the future.

How long have you been paying attention to Keycloak?

When I checked the email I had when writing today's article, I received this email from my boss in August 2015.

Subject: JBoss Keycloak Date: Thu, 27 Aug 2015 13:47:12 +0900 This is an introduction video of JBoss Keycloak that I was talking about before lunch. Maybe it's better than XXXXXX? (Although my knowledge has not advanced from XXXXXXXXXXX.) https://www.youtube.com/watch?v=5MQoJZKXM_s

It was about two and a half years ago. At that time, I was overwhelmed by a customer's ID management project, and unfortunately I don't remember if I saw the above video, but when I think about it now, my boss was truly a visionary owner. (By no means, I'm not selling amusement). In addition, at NRI, in fact, there is a unit that has been verifying since the era of PicketLink, which is an advance of Keycloak, and some PicketLink libraries are currently operating on a certain application server in the company.

By the way, the two projects Keycloak and PicketLink have been merged into the current Keycloak project. The situation around that is described on the following page. http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html

In writing the Advent Calendar

As mentioned above, I've been verifying Keycloak in detail for a few years, but it was a mode that was just in detail. Meanwhile, the situation of our company has changed a little recently, and it has become a mode to firmly disseminate information to the outside (I think that we, the OpenStandia team unit, will also actively disseminate information outside the company, please look forward to it. .). Meanwhile, I decided to write an Advent Calendar this time based on the idea of an OpenStandia member. In the actual writing, early people started writing preparations from around November and completed writing early, and late people started writing until just before the release date, and so on. Please forgive the feeling of variation, as some people wrote it with a rather hard feeling and some people wrote it loosely.

Looking back on the 25-day article

Let's take a quick look back at the 25-day article.

date A brief look back
12/1 I@Since daian183 was the first, I briefly introduced Keycloak.
12/2 @tamura__I described how to set up Keycloak from 246.
12/3,4 here,@tamura__246、@katakura__We linked using OIDC and SAML, which are often used as standard protocols from pro. The target application is also one that seems to be used often such as Spring Boot and WordPress, so if you need to connect, please refer to the article by all means.
12/5,6 @yagiaoskywalker、@mamomamo has provided an example of how you can easily protect your application using Keycloak's client adapter. I think one of the features of Keycloak is that a wide variety of client adapters are available.
12/7,8 Here, assuming a situation where it is necessary to build a reverse proxy configuration instead of a client adapter,@Written by yagiao skywalker. I think there are many other requirements that the application side wants to be as loosely coupled as possible and easily connected to the SSO platform.
12/9,10 @We asked masuo3 to explain the overall functions of the management console. I've seen some SSO product management consoles, but I got the impression that they are very sophisticated, probably because they are latecomers.
12/11 Change the route a little here@wadahiro explained the technology behind the Keycloak translation project. I think it will be very helpful for those who are thinking about OSS translation projects. Currently, it is the top number of likes on this Advent Calendar.
12/12 Here is how to set the one-time password function in Keycloak@naokiiiii explained. It is very easy and flexible to handle one-time passwords.
12/13,14,15 Here, LDAP authentication pattern, integrated Windows authentication pattern, and SNS authentication cooperation pattern that is often seen in recent apps are used as patterns that are not standard data stores.@izey0306、@yagiaoskywalker、@tamura__Described in 246. I think it is a function that is often used in enterprises and recent Internet sites.
12/16 How to build a redundant configuration that will definitely be required in production operation@yoonis explained. Please refer to it especially when building a redundant configuration with AWS EC2.
12/17,18 @OIDC from rawr/Described the single sign-on pattern by OAuth. The cute picture is characteristic, but the contents are readable.
12/19 What happens when you use Keycloak for API authorization, which has become a hot topic in many places these days?@Written by rawr. It is a combination configuration with Kong of API Gateway of OSS.
12/20 Hitachi@Mr. tnorimat appeared and wrote an article about the points and know-how that he noticed when making Keycloak compatible with PKCE. The content is very deep, but please read it.
12/21 An article about running Keycloak on the recently introduced AWS Fargate@Written by wadahiro. I often see articles running Keycloak on Docker, but I think it's the first (probably?) Article running on AWS Fargate.
12/22,23,24 Keycloak's customization point series followed. Customize points organized:@yoonis, risk-based authentication support:@naokiiiii, passwordless support:@rkato. Being able to customize is one of the strengths of OSS.
12/25 It will be this article.@Written by daian183.

We hope that you will find useful information for each article and use it.

Cases that actually use Keycloak

Here, we will briefly introduce what kind of projects we actually receive from our customers.

Project example 1

Simply put, it is a project to change the authentication infrastructure configuration (OpenAM → Keycloak switching) due to infrastructure renewal. The reasons for adopting Keycloak were (1) there were no requirements for advanced authentication / authorization, (2) it was easy to configure without LDAP, and (3) it was easy to realize Immutable Infrastructure. As I introduced in the article on the first day, @wadahiro announced it at an external seminar, so please take a look. (Unfortunately, the video has been cut off in a little over 10 minutes due to the equipment.)

https://secureoss-sig.connpass.com/event/69314/presentation/ WS000047.JPG

Project case 2

I think that there are many customers, especially corporate users, who want to realize integrated Windows authentication by utilizing Kerberos authentication of Active Directory. This project also had such a requirement. At the same time, cloud computing and office 365 utilization are progressing, and the forest configuration is likely to change. Since Keycloak can be customized, we are trying to meet the customer's request by customizing the part that does not meet the requirements and adding functions.

What scenes can Keycloak be used in the future?

I think that various SSO products currently exist in the company for the purpose of converting the authentication of multiple applications in the company to SSO. SSO is premised on access from within the company, and I think this is a world that will continue to exist despite infrastructure renewals. On the other hand, in recent years, with the tailwind of work style reforms, the trend of creating an environment where people can work anytime, anywhere, from any device is becoming stronger, and access from outside the company is also strongly required.

図3.png

Microsoft is developing a total solution that combines on-premise AD and cloud Azure AD, and I think that it is definitely the leading vendor in this field. Besides Microsoft, there are many vendors that offer total IDaaS services. While I think it's best to utilize the parts that can utilize such services, I think that there are always situations where customer requirements vary and customization is required (for example, individual authentication requirements). Or seamless integration with existing in-house SSO). I'm wondering if Keycloak, which is open source and can be customized freely, can be used in such a place. As I introduced on the first day, unfortunately OpenAM is closed and you can no longer see the source code. I think Keycloak is a valuable presence that provides a place for open, community-based activities, so I would like to make everyone excited.

We will continue to provide information on Qiita on a regular basis.

I think that the transmission of Keycloak itself is still insufficient, and I would like to continue to disseminate information on the above-mentioned usage scenes in the future. We will close the 2017 Advent Calendar here, but we look forward to your continued support!

About NRI Open Standia

OpenStandia is a general term for enterprise support and services for open source software provided by Nomura Research Institute (NRI). We offer various support and service menus to solve the problems of using open source software and let you feel the benefits of open source software that you bring to your company.

** OpenStandia official website here **

Recommended Posts

A 25-day review and future efforts for NRI OpenStandia's Keycloak
A review note for the class java.util.Scanner
A review note for the class java.util.Optional
A review note for the class java.util.Objects
A simple and convenient method for HashMap
A review note for the package java.time.temporal