1
00:00:00,000 --> 00:00:02,760
Okay, so you ever notice how pretty much every app

2
00:00:02,760 --> 00:00:05,400
on your phone wants you to log in?

3
00:00:05,400 --> 00:00:06,720
Like websites too, right?

4
00:00:06,720 --> 00:00:07,840
Yeah, for sure.

5
00:00:07,840 --> 00:00:09,640
Seems like it's just become this basic part

6
00:00:09,640 --> 00:00:12,280
of using any online service.

7
00:00:12,280 --> 00:00:13,920
Yeah, they need to know who you are

8
00:00:13,920 --> 00:00:15,600
and what you're actually allowed to do

9
00:00:15,600 --> 00:00:17,280
on their platform, right?

10
00:00:17,280 --> 00:00:19,280
Right, and so today we're going deep

11
00:00:19,280 --> 00:00:21,520
on how all that works behind the scenes.

12
00:00:21,520 --> 00:00:22,360
Sounds good.

13
00:00:22,360 --> 00:00:23,800
We're gonna be looking at a really cool tool

14
00:00:23,800 --> 00:00:25,040
called KeyCloak.

15
00:00:25,040 --> 00:00:25,880
Okay, cool.

16
00:00:25,880 --> 00:00:27,960
It basically makes this whole process

17
00:00:27,960 --> 00:00:31,240
way easier for developers and by extension,

18
00:00:31,240 --> 00:00:32,600
much safer for everyone.

19
00:00:32,600 --> 00:00:34,400
Yeah, absolutely.

20
00:00:34,400 --> 00:00:36,480
Security and like user management,

21
00:00:36,480 --> 00:00:38,600
those are really complex topics.

22
00:00:38,600 --> 00:00:39,440
Oh, totally.

23
00:00:39,440 --> 00:00:40,260
Especially if you're building

24
00:00:40,260 --> 00:00:41,360
an application from scratch.

25
00:00:41,360 --> 00:00:42,200
Right.

26
00:00:42,200 --> 00:00:43,420
KeyCloak really helps this.

27
00:00:43,420 --> 00:00:45,220
It's an open source solution that takes care

28
00:00:45,220 --> 00:00:48,540
of like all the core tasks of handling logins

29
00:00:48,540 --> 00:00:49,500
and permissions.

30
00:00:49,500 --> 00:00:51,080
Oh, that's awesome.

31
00:00:51,080 --> 00:00:52,740
And I wanna take a second to thank Safe Server

32
00:00:52,740 --> 00:00:54,440
for supporting this deep dive.

33
00:00:54,440 --> 00:00:55,780
They're all about supporting this kind

34
00:00:55,780 --> 00:00:58,520
of important software and really empowering you

35
00:00:58,520 --> 00:00:59,820
with digital sovereignty.

36
00:00:59,820 --> 00:01:00,660
For sure.

37
00:01:00,660 --> 00:01:05,120
You can find out more about them at www.safeserver.de.

38
00:01:05,120 --> 00:01:06,080
Definitely check them out.

39
00:01:06,080 --> 00:01:07,440
So yeah, with KeyCloak developers,

40
00:01:07,440 --> 00:01:09,680
they can actually focus on the unique features

41
00:01:09,680 --> 00:01:11,000
that make their app special.

42
00:01:11,000 --> 00:01:12,440
Right, because they don't have to worry

43
00:01:12,440 --> 00:01:16,560
about reinventing the wheel when it comes to security.

44
00:01:16,560 --> 00:01:17,400
Yeah.

45
00:01:17,400 --> 00:01:18,240
Which is a good thing.

46
00:01:18,240 --> 00:01:20,400
Exactly, it's a huge win for everyone involved.

47
00:01:20,400 --> 00:01:22,560
Okay, so let's say I'm using a bunch

48
00:01:22,560 --> 00:01:23,840
of different online accounts.

49
00:01:23,840 --> 00:01:26,800
My email, a project management tool,

50
00:01:26,800 --> 00:01:30,160
a community forum, and I'm sure I'm missing a couple.

51
00:01:30,160 --> 00:01:31,680
Yeah, probably a few.

52
00:01:31,680 --> 00:01:34,340
Usually each of those needs its own username and password.

53
00:01:34,340 --> 00:01:36,940
Aye, yeah, that can get a bit overwhelming

54
00:01:36,940 --> 00:01:38,240
keeping track of all of them.

55
00:01:38,240 --> 00:01:39,200
It's a nightmare.

56
00:01:39,200 --> 00:01:43,060
So KeyCloak offers something called single sign-on,

57
00:01:43,060 --> 00:01:45,640
or SSO, what's that all about?

58
00:01:45,640 --> 00:01:49,320
So SSO with KeyCloak is kind of like having this master key.

59
00:01:49,320 --> 00:01:50,160
Yeah.

60
00:01:50,160 --> 00:01:51,280
You just log in once to KeyCloak,

61
00:01:51,280 --> 00:01:52,680
and then you can access all these other

62
00:01:52,680 --> 00:01:55,040
connected applications without having to type

63
00:01:55,040 --> 00:01:56,980
in your password every single time.

64
00:01:56,980 --> 00:01:59,240
So I unlock the main KeyCloak door,

65
00:01:59,240 --> 00:02:01,320
and all the other apps just kind of know it's me.

66
00:02:01,320 --> 00:02:02,160
Yeah, you got it.

67
00:02:02,160 --> 00:02:03,280
It happens in the background.

68
00:02:03,280 --> 00:02:04,120
You don't even see it.

69
00:02:04,120 --> 00:02:05,600
Oh yeah, that's so convenient.

70
00:02:05,600 --> 00:02:07,000
Right, and it's more secure too.

71
00:02:07,000 --> 00:02:08,440
You're actually reducing the chances

72
00:02:08,440 --> 00:02:09,920
of your password getting compromised

73
00:02:09,920 --> 00:02:11,880
because you're not typing it in everywhere.

74
00:02:11,880 --> 00:02:12,720
That's true.

75
00:02:12,720 --> 00:02:15,880
Out of sight, out of mind, I guess.

76
00:02:15,880 --> 00:02:19,160
So what about when I see those sign in with Google

77
00:02:19,160 --> 00:02:21,080
or connect the Facebook buttons?

78
00:02:21,080 --> 00:02:23,100
Oh yeah, those are everywhere now.

79
00:02:23,100 --> 00:02:24,680
Keycloak helps with that too, right?

80
00:02:24,680 --> 00:02:25,520
It does.

81
00:02:25,520 --> 00:02:28,560
It makes adding those social login options

82
00:02:28,560 --> 00:02:30,400
way easier for developers.

83
00:02:30,400 --> 00:02:31,240
How so?

84
00:02:31,240 --> 00:02:33,140
So instead of each app having to build

85
00:02:33,140 --> 00:02:36,920
separate connections to Google, Facebook, Twitter,

86
00:02:36,920 --> 00:02:37,960
you know, all of them.

87
00:02:37,960 --> 00:02:38,800
Right.

88
00:02:38,800 --> 00:02:41,300
Keycloak just acts as this central hub.

89
00:02:41,300 --> 00:02:42,240
Okay, that makes sense.

90
00:02:42,240 --> 00:02:44,060
So through Keycloak's admin console,

91
00:02:44,060 --> 00:02:45,760
you just configure which social logins

92
00:02:45,760 --> 00:02:47,440
you want to enable, and that's it.

93
00:02:47,440 --> 00:02:49,640
So the developers don't have to write a bunch of code

94
00:02:49,640 --> 00:02:51,800
to deal with each individual social network.

95
00:02:51,800 --> 00:02:53,280
Exactly, it's way simpler.

96
00:02:53,280 --> 00:02:55,640
Keycloak handles all the complexities for them.

97
00:02:55,640 --> 00:02:57,920
So it's like Keycloak speaks all these different

98
00:02:57,920 --> 00:03:00,520
social media languages for the app.

99
00:03:00,520 --> 00:03:02,120
Yeah, that's a really good way to put it.

100
00:03:02,120 --> 00:03:03,920
That seems like a huge time saver.

101
00:03:03,920 --> 00:03:08,160
It is, and it's not limited to just social logins either.

102
00:03:08,160 --> 00:03:11,840
Keycloak can also connect to existing identity systems

103
00:03:11,840 --> 00:03:13,940
that companies might already be using.

104
00:03:13,940 --> 00:03:15,480
You mean like internal company accounts

105
00:03:15,480 --> 00:03:16,300
and things like that?

106
00:03:16,300 --> 00:03:17,840
Exactly, like if they're using something

107
00:03:17,840 --> 00:03:21,080
like OpenID Connect or SAML 2.0,

108
00:03:21,080 --> 00:03:24,360
it acts like a translator for different digital identities

109
00:03:24,360 --> 00:03:26,400
so everyone can understand each other.

110
00:03:26,400 --> 00:03:27,720
Gotcha, and what's that called?

111
00:03:27,720 --> 00:03:29,800
That's called identity brokering.

112
00:03:29,800 --> 00:03:33,440
Imagine a company partners with another organization.

113
00:03:33,440 --> 00:03:37,280
Their employees, they need to access specific resources

114
00:03:37,280 --> 00:03:38,440
in your app brain.

115
00:03:38,440 --> 00:03:39,280
Makes sense.

116
00:03:39,280 --> 00:03:41,040
Well, with Keycloak, you don't have to create

117
00:03:41,040 --> 00:03:43,820
separate accounts for all those new users.

118
00:03:43,820 --> 00:03:46,680
Keycloak can just broker their existing identities

119
00:03:46,680 --> 00:03:48,320
so it's all seamless.

120
00:03:48,320 --> 00:03:52,120
Very cool, so let's say a company has its own system

121
00:03:52,120 --> 00:03:54,080
for storing employee information

122
00:03:54,080 --> 00:03:56,360
like a directory of user accounts.

123
00:03:56,360 --> 00:03:59,320
Do they have to manually recreate all of that in Keycloak?

124
00:03:59,320 --> 00:04:00,200
No, no, not at all.

125
00:04:00,200 --> 00:04:01,920
Keycloak is smarter than that.

126
00:04:01,920 --> 00:04:04,040
It has a feature called user federation.

127
00:04:04,040 --> 00:04:04,880
Okay, what's that do?

128
00:04:04,880 --> 00:04:07,340
This lets it connect to and sync with

129
00:04:07,340 --> 00:04:09,280
those existing user directories.

130
00:04:09,280 --> 00:04:11,160
So like the company's active directory

131
00:04:11,160 --> 00:04:12,000
or something like that.

132
00:04:12,000 --> 00:04:15,040
Exactly, so when someone new joins the company

133
00:04:15,040 --> 00:04:16,840
and an account is created, Keycloak

134
00:04:16,840 --> 00:04:19,280
just automatically recognizes them.

135
00:04:19,280 --> 00:04:22,040
Okay, so no need to set up a separate Keycloak account

136
00:04:22,040 --> 00:04:23,080
for each person.

137
00:04:23,080 --> 00:04:25,400
Exactly, saves a lot of time and effort.

138
00:04:25,400 --> 00:04:26,840
And helps avoid errors too, I bet.

139
00:04:26,840 --> 00:04:27,820
Oh yeah, for sure.

140
00:04:27,820 --> 00:04:29,000
It keeps everything consistent,

141
00:04:29,000 --> 00:04:31,720
which is always a good thing in the world of IT.

142
00:04:31,720 --> 00:04:32,560
Absolutely.

143
00:04:32,560 --> 00:04:34,680
So we've talked about users logging in

144
00:04:34,680 --> 00:04:36,120
and connecting to different systems.

145
00:04:36,120 --> 00:04:36,960
Right.

146
00:04:36,960 --> 00:04:39,800
But how does someone like an IT administrator

147
00:04:39,800 --> 00:04:43,320
actually manage all of this in Keycloak?

148
00:04:43,320 --> 00:04:45,940
So that's where the admin console comes in.

149
00:04:45,940 --> 00:04:48,280
Think of it as mission control for Keycloak.

150
00:04:48,280 --> 00:04:49,120
Okay.

151
00:04:49,120 --> 00:04:49,960
From this web interface,

152
00:04:49,960 --> 00:04:52,160
administrators can do pretty much everything.

153
00:04:52,160 --> 00:04:53,360
Oh wow, like what?

154
00:04:53,360 --> 00:04:56,000
They can enable or disable features,

155
00:04:56,000 --> 00:04:58,440
set up the identity brokering and user federation

156
00:04:58,440 --> 00:04:59,760
we just talked about,

157
00:04:59,760 --> 00:05:02,000
and manage all the applications and services

158
00:05:02,000 --> 00:05:03,540
that are secured by Keycloak.

159
00:05:03,540 --> 00:05:05,680
Wow, okay, so it's pretty comprehensive.

160
00:05:05,680 --> 00:05:06,760
Oh it is.

161
00:05:06,760 --> 00:05:09,200
They can also define authorization policies,

162
00:05:09,200 --> 00:05:10,360
which we'll talk about in a bit.

163
00:05:10,360 --> 00:05:12,720
And of course they can manage users themselves,

164
00:05:12,720 --> 00:05:15,200
including their permissions and active sessions.

165
00:05:15,200 --> 00:05:17,240
Oh wow, so it really is a central point

166
00:05:17,240 --> 00:05:18,440
for controlling everything.

167
00:05:18,440 --> 00:05:21,560
Exactly, it gives administrators a clear overview

168
00:05:21,560 --> 00:05:24,000
and control over the entire identity

169
00:05:24,000 --> 00:05:26,360
and access management system.

170
00:05:26,360 --> 00:05:29,720
Okay, so what about regular users?

171
00:05:29,720 --> 00:05:32,520
Can they do anything themselves related to Keycloak,

172
00:05:32,520 --> 00:05:35,840
like changing their password or adding extra security?

173
00:05:35,840 --> 00:05:36,960
Oh, absolutely.

174
00:05:36,960 --> 00:05:40,160
Keycloak has a feature called the account management console.

175
00:05:40,160 --> 00:05:40,980
What's that like?

176
00:05:40,980 --> 00:05:42,880
It's a self-service portal for users

177
00:05:42,880 --> 00:05:46,060
where they can manage their own profile change passwords,

178
00:05:46,060 --> 00:05:48,200
set up things like two-factor authentication.

179
00:05:48,200 --> 00:05:49,040
Oh, that's handy.

180
00:05:49,040 --> 00:05:51,680
Right, they can also see a history of their logins

181
00:05:51,680 --> 00:05:54,800
and even link their social media accounts if that's enabled.

182
00:05:54,800 --> 00:05:56,840
Okay, so users have a good amount of control

183
00:05:56,840 --> 00:05:58,880
over their own security and information.

184
00:05:58,880 --> 00:06:00,760
Exactly, and it takes some of the pressure

185
00:06:00,760 --> 00:06:04,000
off IT administrators too for all those common tasks.

186
00:06:04,000 --> 00:06:05,280
Which I'm sure they appreciate.

187
00:06:05,280 --> 00:06:06,120
Yeah.

188
00:06:06,120 --> 00:06:07,640
Now you mentioned earlier that Keycloak relies

189
00:06:07,640 --> 00:06:10,320
on standard protocols like OpenID Connect

190
00:06:10,320 --> 00:06:12,320
and Samuel Ale.

191
00:06:12,320 --> 00:06:13,880
Why is that so important?

192
00:06:13,880 --> 00:06:16,720
So using these industry standard protocols

193
00:06:16,720 --> 00:06:20,120
is really crucial for Keycloak for a couple of reasons.

194
00:06:20,120 --> 00:06:22,160
First, it makes sure that Keycloak can work

195
00:06:22,160 --> 00:06:25,440
with a really wide range of applications and services.

196
00:06:25,440 --> 00:06:26,360
Okay, how so?

197
00:06:26,360 --> 00:06:29,020
Well, because these protocols are so widely used,

198
00:06:29,020 --> 00:06:31,080
it's like they create a common language

199
00:06:31,080 --> 00:06:33,320
for all these different systems to understand.

200
00:06:33,320 --> 00:06:34,160
I see.

201
00:06:34,160 --> 00:06:36,400
So applications built with different technologies

202
00:06:36,400 --> 00:06:39,880
can still talk to Keycloak and use it for authentication

203
00:06:39,880 --> 00:06:40,720
and authorization,

204
00:06:40,720 --> 00:06:43,760
because they all speak the same language, so to speak.

205
00:06:43,760 --> 00:06:45,840
Oh, so there are no compatibility issues

206
00:06:45,840 --> 00:06:47,560
because they're all following the same rules.

207
00:06:47,560 --> 00:06:50,520
Right, and the second reason is security.

208
00:06:50,520 --> 00:06:52,900
These protocols have been tested and analyzed

209
00:06:52,900 --> 00:06:54,680
by experts all over the world,

210
00:06:54,680 --> 00:06:56,960
so they're generally considered really secure.

211
00:06:56,960 --> 00:06:59,400
So it's not like Keycloak is just doing its own thing

212
00:06:59,400 --> 00:07:01,240
in a way that could have security flaws.

213
00:07:01,240 --> 00:07:03,500
Exactly, by using these proven protocols,

214
00:07:03,500 --> 00:07:05,800
Keycloak benefits from all the collective knowledge

215
00:07:05,800 --> 00:07:08,520
and security expertise that's gone into developing them.

216
00:07:08,520 --> 00:07:09,360
Gotcha.

217
00:07:09,360 --> 00:07:11,600
It's like standing on the shoulders of giants in a way.

218
00:07:11,600 --> 00:07:12,680
You could say that.

219
00:07:12,680 --> 00:07:15,160
So you mentioned authorization policies earlier.

220
00:07:15,160 --> 00:07:16,000
Yes.

221
00:07:16,000 --> 00:07:19,360
I know that it's important to know who someone is,

222
00:07:19,360 --> 00:07:21,160
but I guess you also need to control

223
00:07:21,160 --> 00:07:23,600
what they can actually do once they're logged in, right?

224
00:07:23,600 --> 00:07:24,480
Absolutely.

225
00:07:24,480 --> 00:07:26,680
Authentication is just the first step.

226
00:07:26,680 --> 00:07:28,480
Authentication takes it to the next level.

227
00:07:28,480 --> 00:07:30,240
Okay, so it's like checking your ID at the door,

228
00:07:30,240 --> 00:07:32,440
but then also making sure you have permission

229
00:07:32,440 --> 00:07:34,120
to go into specific rooms.

230
00:07:34,120 --> 00:07:36,200
Exactly, it's about controlling access

231
00:07:36,200 --> 00:07:39,920
to specific resources or actions within an application.

232
00:07:39,920 --> 00:07:41,160
Makes sense.

233
00:07:41,160 --> 00:07:43,280
So with KeyClock's authorization services,

234
00:07:43,280 --> 00:07:46,120
you can get really granular with the permissions you define.

235
00:07:46,120 --> 00:07:46,960
Okay.

236
00:07:46,960 --> 00:07:48,560
Like you might not just have an editor role

237
00:07:48,560 --> 00:07:50,160
that gives access to everything.

238
00:07:50,160 --> 00:07:50,980
Right.

239
00:07:50,980 --> 00:07:52,680
You could say this specific user

240
00:07:52,680 --> 00:07:55,960
can only edit these particular documents, but not others.

241
00:07:55,960 --> 00:07:56,960
And that would be handled through

242
00:07:56,960 --> 00:07:58,240
these authorization policies.

243
00:07:58,240 --> 00:07:59,520
Yeah, exactly.

244
00:07:59,520 --> 00:08:01,640
It's really powerful for applications

245
00:08:01,640 --> 00:08:04,600
that have sensitive data or complex requirements

246
00:08:04,600 --> 00:08:06,340
like in finance or healthcare.

247
00:08:06,340 --> 00:08:09,280
Yeah, where security and privacy are paramount.

248
00:08:09,280 --> 00:08:10,600
So for someone who is new

249
00:08:10,600 --> 00:08:13,840
to all this managing access and permissions online,

250
00:08:13,840 --> 00:08:17,080
what's the key takeaway with Keycloak?

251
00:08:17,080 --> 00:08:18,520
The main idea with Keycloak is that

252
00:08:18,520 --> 00:08:20,240
it takes all the complicated stuff

253
00:08:20,240 --> 00:08:22,640
related to identity and access management

254
00:08:22,640 --> 00:08:25,520
and makes it much simpler for modern applications.

255
00:08:25,520 --> 00:08:27,520
And that's good for developers and users alike.

256
00:08:27,520 --> 00:08:28,360
For sure.

257
00:08:28,360 --> 00:08:29,780
Keycloak handles all the hard parts

258
00:08:29,780 --> 00:08:32,280
like storing user information authentication,

259
00:08:32,280 --> 00:08:35,120
like proving someone is who they say they are

260
00:08:35,120 --> 00:08:38,000
and authorization controlling what they can actually do.

261
00:08:38,000 --> 00:08:38,840
Okay.

262
00:08:38,840 --> 00:08:39,920
It's got all these great features

263
00:08:39,920 --> 00:08:43,020
like single sign-on integration with existing systems,

264
00:08:43,020 --> 00:08:45,700
social logins, and a central console

265
00:08:45,700 --> 00:08:46,920
for managing everything.

266
00:08:46,920 --> 00:08:48,840
And it's all built with security in mind

267
00:08:48,840 --> 00:08:49,680
from the ground up.

268
00:08:49,680 --> 00:08:50,520
Absolutely.

269
00:08:50,520 --> 00:08:52,680
It lets developers focus on building great apps

270
00:08:52,680 --> 00:08:55,400
without having to become security experts themselves.

271
00:08:55,400 --> 00:08:56,560
That makes a lot of sense.

272
00:08:56,560 --> 00:08:58,640
So it sounds like Keycloak is a really important tool

273
00:08:58,640 --> 00:09:00,840
for improving both security and efficiency

274
00:09:00,840 --> 00:09:02,960
for anyone working with online services.

275
00:09:02,960 --> 00:09:03,760
Definitely.

276
00:09:03,760 --> 00:09:07,520
And for end users, it often means a smoother, more secure

277
00:09:07,520 --> 00:09:08,480
experience online.

278
00:09:08,480 --> 00:09:10,640
You don't have to juggle a million different passwords.

279
00:09:10,640 --> 00:09:11,840
Which is always a good thing.

280
00:09:11,840 --> 00:09:12,720
It really is.

281
00:09:12,720 --> 00:09:16,260
It's easy to overlook, but these behind-the-scenes systems

282
00:09:16,260 --> 00:09:19,080
like Keycloak, they're what makes the internet work

283
00:09:19,080 --> 00:09:20,000
the way it does today.

284
00:09:20,000 --> 00:09:21,120
Oh, for sure.

285
00:09:21,120 --> 00:09:24,120
They're the unsung heroes of the digital world.

286
00:09:24,120 --> 00:09:26,600
And a big thanks again to Safe Server

287
00:09:26,600 --> 00:09:30,040
for supporting this deep dive into Keycloak.

288
00:09:30,040 --> 00:09:32,720
And for all their work in promoting digital sovereignty.

289
00:09:32,720 --> 00:09:33,960
Definitely check them out.

290
00:09:33,960 --> 00:09:35,260
You can learn more about what they do

291
00:09:35,260 --> 00:09:37,680
and how they support important open source projects

292
00:09:37,680 --> 00:09:43,000
like Keycloak by visiting www.safeserver.de.

293
00:09:43,000 --> 00:09:43,960
Good stuff.

294
00:09:43,960 --> 00:09:46,360
As we spend more and more of our lives online,

295
00:09:46,360 --> 00:09:48,920
having secure and easy to use ways

296
00:09:48,920 --> 00:09:51,280
to manage our digital identities is only

297
00:09:51,280 --> 00:09:52,440
going to become more important.

298
00:09:52,440 --> 00:09:53,680
I completely agree.

299
00:09:53,680 --> 00:09:55,240
And open source tools like Keycloak

300
00:09:55,240 --> 00:09:56,960
are playing a big role in making that happen.

301
00:09:56,960 --> 00:09:58,720
Couldn't have said it better myself.

302
00:09:58,720 --> 00:09:59,620
Well, thanks for joining us

303
00:09:59,620 --> 00:10:01,240
for this deep dive into Keek Look.

304
00:10:01,240 --> 00:10:02,080
Until next time.