Today's Deep-Dive: Keycloak
Ep. 145

Today's Deep-Dive: Keycloak

Episode description

This episode focuses on the necessity of logging in to various online services and introduces KeyCloak, a tool that simplifies user authentication and management for developers. KeyCloak is an open-source solution that streamlines the process of handling logins, permissions, and security, allowing developers to concentrate on their app’s unique features. A significant feature of KeyCloak is single sign-on (SSO), which enables users to log in once and access multiple applications without repeatedly entering passwords, enhancing security. KeyCloak also facilitates social logins by acting as a central hub, allowing developers to integrate various social media accounts easily.

Additionally, KeyCloak supports identity brokering, letting users from partner organizations access resources without creating new accounts. It has a user federation feature that syncs with existing user directories, saving time and reducing errors. Administrators manage everything through an admin console, while users have self-service options via an account management console. KeyCloak employs industry-standard protocols like OpenID Connect and SAML 2.0 for compatibility and security. Lastly, it provides detailed authorization policies, enabling granular control over user permissions, making it a vital tool for enhancing security and efficiency in online services.

Download transcript (.srt)
0:00

Okay, so you ever notice how pretty much every app

0:02

on your phone wants you to log in?

0:05

Like websites too, right?

0:06

Yeah, for sure.

0:07

Seems like it's just become this basic part

0:09

of using any online service.

0:12

Yeah, they need to know who you are

0:13

and what you're actually allowed to do

0:15

on their platform, right?

0:17

Right, and so today we're going deep

0:19

on how all that works behind the scenes.

0:21

Sounds good.

0:22

We're gonna be looking at a really cool tool

0:23

called KeyCloak.

0:25

Okay, cool.

0:25

It basically makes this whole process

0:27

way easier for developers and by extension,

0:31

much safer for everyone.

0:32

Yeah, absolutely.

0:34

Security and like user management,

0:36

those are really complex topics.

0:38

Oh, totally.

0:39

Especially if you're building

0:40

an application from scratch.

0:41

Right.

0:42

KeyCloak really helps this.

0:43

It's an open source solution that takes care

0:45

of like all the core tasks of handling logins

0:48

and permissions.

0:49

Oh, that's awesome.

0:51

And I wanna take a second to thank Safe Server

0:52

for supporting this deep dive.

0:54

They're all about supporting this kind

0:55

of important software and really empowering you

0:58

with digital sovereignty.

0:59

For sure.

1:00

You can find out more about them at www.safeserver.de.

1:05

Definitely check them out.

1:06

So yeah, with KeyCloak developers,

1:07

they can actually focus on the unique features

1:09

that make their app special.

1:11

Right, because they don't have to worry

1:12

about reinventing the wheel when it comes to security.

1:16

Yeah.

1:17

Which is a good thing.

1:18

Exactly, it's a huge win for everyone involved.

1:20

Okay, so let's say I'm using a bunch

1:22

of different online accounts.

1:23

My email, a project management tool,

1:26

a community forum, and I'm sure I'm missing a couple.

1:30

Yeah, probably a few.

1:31

Usually each of those needs its own username and password.

1:34

Aye, yeah, that can get a bit overwhelming

1:36

keeping track of all of them.

1:38

It's a nightmare.

1:39

So KeyCloak offers something called single sign-on,

1:43

or SSO, what's that all about?

1:45

So SSO with KeyCloak is kind of like having this master key.

1:49

Yeah.

1:50

You just log in once to KeyCloak,

1:51

and then you can access all these other

1:52

connected applications without having to type

1:55

in your password every single time.

1:56

So I unlock the main KeyCloak door,

1:59

and all the other apps just kind of know it's me.

2:01

Yeah, you got it.

2:02

It happens in the background.

2:03

You don't even see it.

2:04

Oh yeah, that's so convenient.

2:05

Right, and it's more secure too.

2:07

You're actually reducing the chances

2:08

of your password getting compromised

2:09

because you're not typing it in everywhere.

2:11

That's true.

2:12

Out of sight, out of mind, I guess.

2:15

So what about when I see those sign in with Google

2:19

or connect the Facebook buttons?

2:21

Oh yeah, those are everywhere now.

2:23

Keycloak helps with that too, right?

2:24

It does.

2:25

It makes adding those social login options

2:28

way easier for developers.

2:30

How so?

2:31

So instead of each app having to build

2:33

separate connections to Google, Facebook, Twitter,

2:36

you know, all of them.

2:37

Right.

2:38

Keycloak just acts as this central hub.

2:41

Okay, that makes sense.

2:42

So through Keycloak's admin console,

2:44

you just configure which social logins

2:45

you want to enable, and that's it.

2:47

So the developers don't have to write a bunch of code

2:49

to deal with each individual social network.

2:51

Exactly, it's way simpler.

2:53

Keycloak handles all the complexities for them.

2:55

So it's like Keycloak speaks all these different

2:57

social media languages for the app.

3:00

Yeah, that's a really good way to put it.

3:02

That seems like a huge time saver.

3:03

It is, and it's not limited to just social logins either.

3:08

Keycloak can also connect to existing identity systems

3:11

that companies might already be using.

3:13

You mean like internal company accounts

3:15

and things like that?

3:16

Exactly, like if they're using something

3:17

like OpenID Connect or SAML 2.0,

3:21

it acts like a translator for different digital identities

3:24

so everyone can understand each other.

3:26

Gotcha, and what's that called?

3:27

That's called identity brokering.

3:29

Imagine a company partners with another organization.

3:33

Their employees, they need to access specific resources

3:37

in your app brain.

3:38

Makes sense.

3:39

Well, with Keycloak, you don't have to create

3:41

separate accounts for all those new users.

3:43

Keycloak can just broker their existing identities

3:46

so it's all seamless.

3:48

Very cool, so let's say a company has its own system

3:52

for storing employee information

3:54

like a directory of user accounts.

3:56

Do they have to manually recreate all of that in Keycloak?

3:59

No, no, not at all.

4:00

Keycloak is smarter than that.

4:01

It has a feature called user federation.

4:04

Okay, what's that do?

4:04

This lets it connect to and sync with

4:07

those existing user directories.

4:09

So like the company's active directory

4:11

or something like that.

4:12

Exactly, so when someone new joins the company

4:15

and an account is created, Keycloak

4:16

just automatically recognizes them.

4:19

Okay, so no need to set up a separate Keycloak account

4:22

for each person.

4:23

Exactly, saves a lot of time and effort.

4:25

And helps avoid errors too, I bet.

4:26

Oh yeah, for sure.

4:27

It keeps everything consistent,

4:29

which is always a good thing in the world of IT.

4:31

Absolutely.

4:32

So we've talked about users logging in

4:34

and connecting to different systems.

4:36

Right.

4:36

But how does someone like an IT administrator

4:39

actually manage all of this in Keycloak?

4:43

So that's where the admin console comes in.

4:45

Think of it as mission control for Keycloak.

4:48

Okay.

4:49

From this web interface,

4:49

administrators can do pretty much everything.

4:52

Oh wow, like what?

4:53

They can enable or disable features,

4:56

set up the identity brokering and user federation

4:58

we just talked about,

4:59

and manage all the applications and services

5:02

that are secured by Keycloak.

5:03

Wow, okay, so it's pretty comprehensive.

5:05

Oh it is.

5:06

They can also define authorization policies,

5:09

which we'll talk about in a bit.

5:10

And of course they can manage users themselves,

5:12

including their permissions and active sessions.

5:15

Oh wow, so it really is a central point

5:17

for controlling everything.

5:18

Exactly, it gives administrators a clear overview

5:21

and control over the entire identity

5:24

and access management system.

5:26

Okay, so what about regular users?

5:29

Can they do anything themselves related to Keycloak,

5:32

like changing their password or adding extra security?

5:35

Oh, absolutely.

5:36

Keycloak has a feature called the account management console.

5:40

What's that like?

5:40

It's a self-service portal for users

5:42

where they can manage their own profile change passwords,

5:46

set up things like two-factor authentication.

5:48

Oh, that's handy.

5:49

Right, they can also see a history of their logins

5:51

and even link their social media accounts if that's enabled.

5:54

Okay, so users have a good amount of control

5:56

over their own security and information.

5:58

Exactly, and it takes some of the pressure

6:00

off IT administrators too for all those common tasks.

6:04

Which I'm sure they appreciate.

6:05

Yeah.

6:06

Now you mentioned earlier that Keycloak relies

6:07

on standard protocols like OpenID Connect

6:10

and Samuel Ale.

6:12

Why is that so important?

6:13

So using these industry standard protocols

6:16

is really crucial for Keycloak for a couple of reasons.

6:20

First, it makes sure that Keycloak can work

6:22

with a really wide range of applications and services.

6:25

Okay, how so?

6:26

Well, because these protocols are so widely used,

6:29

it's like they create a common language

6:31

for all these different systems to understand.

6:33

I see.

6:34

So applications built with different technologies

6:36

can still talk to Keycloak and use it for authentication

6:39

and authorization,

6:40

because they all speak the same language, so to speak.

6:43

Oh, so there are no compatibility issues

6:45

because they're all following the same rules.

6:47

Right, and the second reason is security.

6:50

These protocols have been tested and analyzed

6:52

by experts all over the world,

6:54

so they're generally considered really secure.

6:56

So it's not like Keycloak is just doing its own thing

6:59

in a way that could have security flaws.

7:01

Exactly, by using these proven protocols,

7:03

Keycloak benefits from all the collective knowledge

7:05

and security expertise that's gone into developing them.

7:08

Gotcha.

7:09

It's like standing on the shoulders of giants in a way.

7:11

You could say that.

7:12

So you mentioned authorization policies earlier.

7:15

Yes.

7:16

I know that it's important to know who someone is,

7:19

but I guess you also need to control

7:21

what they can actually do once they're logged in, right?

7:23

Absolutely.

7:24

Authentication is just the first step.

7:26

Authentication takes it to the next level.

7:28

Okay, so it's like checking your ID at the door,

7:30

but then also making sure you have permission

7:32

to go into specific rooms.

7:34

Exactly, it's about controlling access

7:36

to specific resources or actions within an application.

7:39

Makes sense.

7:41

So with KeyClock's authorization services,

7:43

you can get really granular with the permissions you define.

7:46

Okay.

7:46

Like you might not just have an editor role

7:48

that gives access to everything.

7:50

Right.

7:50

You could say this specific user

7:52

can only edit these particular documents, but not others.

7:55

And that would be handled through

7:56

these authorization policies.

7:58

Yeah, exactly.

7:59

It's really powerful for applications

8:01

that have sensitive data or complex requirements

8:04

like in finance or healthcare.

8:06

Yeah, where security and privacy are paramount.

8:09

So for someone who is new

8:10

to all this managing access and permissions online,

8:13

what's the key takeaway with Keycloak?

8:17

The main idea with Keycloak is that

8:18

it takes all the complicated stuff

8:20

related to identity and access management

8:22

and makes it much simpler for modern applications.

8:25

And that's good for developers and users alike.

8:27

For sure.

8:28

Keycloak handles all the hard parts

8:29

like storing user information authentication,

8:32

like proving someone is who they say they are

8:35

and authorization controlling what they can actually do.

8:38

Okay.

8:38

It's got all these great features

8:39

like single sign-on integration with existing systems,

8:43

social logins, and a central console

8:45

for managing everything.

8:46

And it's all built with security in mind

8:48

from the ground up.

8:49

Absolutely.

8:50

It lets developers focus on building great apps

8:52

without having to become security experts themselves.

8:55

That makes a lot of sense.

8:56

So it sounds like Keycloak is a really important tool

8:58

for improving both security and efficiency

9:00

for anyone working with online services.

9:02

Definitely.

9:03

And for end users, it often means a smoother, more secure

9:07

experience online.

9:08

You don't have to juggle a million different passwords.

9:10

Which is always a good thing.

9:11

It really is.

9:12

It's easy to overlook, but these behind-the-scenes systems

9:16

like Keycloak, they're what makes the internet work

9:19

the way it does today.

9:20

Oh, for sure.

9:21

They're the unsung heroes of the digital world.

9:24

And a big thanks again to Safe Server

9:26

for supporting this deep dive into Keycloak.

9:30

And for all their work in promoting digital sovereignty.

9:32

Definitely check them out.

9:33

You can learn more about what they do

9:35

and how they support important open source projects

9:37

like Keycloak by visiting www.safeserver.de.

9:43

Good stuff.

9:43

As we spend more and more of our lives online,

9:46

having secure and easy to use ways

9:48

to manage our digital identities is only

9:51

going to become more important.

9:52

I completely agree.

9:53

And open source tools like Keycloak

9:55

are playing a big role in making that happen.

9:56

Couldn't have said it better myself.

9:58

Well, thanks for joining us

9:59

Until next time.

9:59

Until next time.