[HN Gopher] Keycloak - Open-Source Identity and Access Managemen...
___________________________________________________________________
Keycloak - Open-Source Identity and Access Management Interview
Author : ph4ni
Score : 50 points
Date : 2023-06-18 21:23 UTC (1 hours ago)
(HTM) web link (console.substack.com)
(TXT) w3m dump (console.substack.com)
| kurante wrote:
| What do folks think about authentik[0]?
|
| I tried to set up Keycloak but after fiddling with it for awhile
| before giving up and trying something else. It felt really weird
| that I was just extracting a tar and running a jar instead of
| some pre-packaged solution, but that might just be me.
|
| authentik was pretty easy to set up for my homelab, but maybe I'm
| missing something given all the positive recommendations for
| Keycloak?
|
| [0]: https://goauthentik.io/
| miduil wrote:
| I was considering using authentik, but I'm not very keen
| towards having a Django application taking over SSO
| authentication.
| Jnr wrote:
| I set up Keycloak using Docker and it was very simple to do.
|
| I did not really try authentik yet since all the advanced
| features I needed worked with Keycloak, but I do have it
| running in a container to play with at some point in time.
| adeptima wrote:
| Would like to cheerlead for fully opensource Zitadel project
| here.
|
| https://zitadel.com/
|
| https://zitadel.com/team
|
| Main repo https://github.com/zitadel/zitadel
|
| Zitadel team clearly understand OpenID, Auth0, Keypass, etc specs
| and have all previous experience to implement identity management
| right for SaaS, B2C and B2B project scenarios.
|
| SaaS Product with Authentication and Authorization
| https://zitadel.com/docs/guides/solution-scenarios/saas
|
| Simplify Your SaaS: Multi-Tenancy and Delegated Access Management
| with ZITADEL Organizations
| https://www.youtube.com/watch?v=Cx_WgyY4TOo
|
| ZITADEL Roadmap
| https://github.com/orgs/zitadel/projects/6/views/1
|
| Zitadel took a very good direction into allowing to "build my own
| login and register ui"
|
| Sprint Demo - ZITADEL 2.28.0
| https://www.youtube.com/watch?v=hpQ4zrV48LY
|
| [Epic] Login API and improvement of Register API #5015
| https://github.com/zitadel/zitadel/issues/5015
|
| https://github.com/zitadel/typescript
|
| Previously had a look at Ory, Keycloak and many others.
|
| Found those solutions either to be more "enterprisy" and over-
| engineered rather than something which can co-exist in my small
| team brain.
| Lucasoato wrote:
| I'm a bit newbie in this exact field but when Keycloak is used to
| autenticate an external client, wouldn't revealing that you're
| using Keycloak itself be a security concern? Giving that
| information to a possible attacker could be dangerous, is it
| possible to make it totally impossible to understand if someone
| is using Keycloak or not?
| precommunicator wrote:
| Once you're a Keycloak user you can figure out if someone is
| using Keycloak within seconds, e.g. I know my credit card
| company uses it. And this isn't a matter of security, security
| by obscurity is really bad idea.
| Lacerda69 wrote:
| I dont quite get why you think it would be a security concern?
|
| The alterntive to using a tried and tested solution is to build
| it yourself - but are you really confident you will do a better
| job than professionals in the field?
| croo wrote:
| I worked on a project which used Keycloak for authentication and
| SSO module between like 10+ java services with a custom UI and
| custom 2fa solution.
|
| I really liked it. Setting up and using it with LDAP was easy,
| Google and other sso integration was a search and some settings
| away, it ran on docker without problems. There were some problems
| with caching and refreshing user data but that arose from the
| complex architecture. The keycloak UI was at times a little
| clunky but the documentation was good.
|
| I would recommend it to anyone.
| rad_gruchalski wrote:
| > the documentation was good
|
| There's also a book now which I can highly recommend:
| https://www.amazon.com/Keycloak-Management-Applications-prot...
| golemiprague wrote:
| [dead]
| roboben wrote:
| I don't get it. Keycloak feels like some clunky 90s enterprise
| software and I mean it only in a bad way. Had to run it on
| openshift and it was hell. It's not really made for containers,
| clustering is basically impossible, it needs to know it's default
| route and I can't remember the exact issue but found myself
| patching some obscure startup scripts which templated some XML to
| start that thing. Can't recommend but I'd be happy to hear
| alternatives which are actually modern.
| Glyptodon wrote:
| It's on my list of things that assumes out of the box that you
| know waaaaaay more about dozens of details than you actually
| are likely to unless you've already used it for 10 years. To
| the point that I don't even know what the benefit of using it
| vs. other options is at all.
| roboben wrote:
| I can't understand your first sentence even after reading it
| ten times. Maybe it is too long for me.
|
| To the second sentence: I don't know what the benefit is
| either but in some environments you are not able to use any
| cloud provider or other external service to realize the auth
| layer so you are stuck with things like keycloak. Hope this
| thread discusses some other solutions which you can self
| host.
| vxNsr wrote:
| I know the two main competitors that have been adopted by
| the self hosted community are authentik and authelia,
| they're both somewhat under developed for enterprise but at
| the same time still difficult to grasp for non-full time
| devOps people. At least in my opinion.
| jsmith99 wrote:
| I use authentik for self hosted - it's great but still
| too powerful and configurable for me or most people who
| are not auth experts to customise. Just creating a
| password reset flow requires integrating a dozen moving
| parts. The only explanation how to do it is a yaml file
| or a YouTube tutorial.
|
| Setting up basic forward auth or OIDC was super easy
| though.
| Lacerda69 wrote:
| use cases that require _everything_ "on-premise" are often
| government/military, big healthcare, or just huge
| enterprises that want to control everything (and can afford
| a team that only runs their auth service).
|
| I mentioned Ory above but you get both options - either as
| a managed service or run on your own infra
| p_l wrote:
| Or just places that don't want to give data to external,
| VC-funded or worse, vendors.
|
| I have clients that definitely prefer combination of open
| source + owner-controlled + lower costs ;)
| nebulousthree wrote:
| They mean that the software relies on the user
| understanding its, or the industry-it-serves's, jargon, to
| be used effectively.
| tecleandor wrote:
| Were you using Keycloak also as the identity provider?
|
| IIRC, if you're using an external identity provider, and you
| want clustering, you can just deploy Keycloak containers and
| load balance between them. You can then load a shared cache if
| you want (or need).
|
| My memory is fuzzy right now, but although it isn't the leanest
| solution, I don't remember it as terrible. Ours wasn't a very
| custom solution anyway, we just hit an LDAP in the back and
| that was all.
| Delotono wrote:
| They completely reworked the code base and made it k8s
| compatible
| Lacerda69 wrote:
| Have you had a look at Ory (Kratos)? Its a "cloud-
| native"/modern alternative to Keycloak:
| https://github.com/ory/kratos
| dijit wrote:
| I have, and we went back to keycloak- everything the parent
| says is true, however Ory/Kratos is a lesson in half finished
| solutions and poor documentation.
|
| we really tried quite hard, since it was backed by CNCF, but
| it could just be a case of being a tad too immature for prime
| time.
|
| it seems keycloak is now CNCF though
| rad_gruchalski wrote:
| Ory Kratos is nowhere near Keycloak. First of all, one needs
| at least Kratos+Hydra (there's an integration method now out
| of the box yay) but Keycloak still has a flexibility
| advantage. Keycloak has many more features out of the box
| comparing to the complete Ory stack.
|
| The only thing nicer in Kratos from Keycloak is the
| standalone self-service UI with JSON identity declaration. If
| someone from the Keycloak team is reading this, please, let's
| have a talk about bringing that feature to Keycloak, then
| Keycloak will be perfect. The template approach is a bit of a
| hassle.
|
| Source: deployed both stacks in production systems.
| rad_gruchalski wrote:
| Most of those issues have been sorted out in recent versions.
| It's all container-ready now with pretty solid k8s story.
| jeroenhd wrote:
| I just docker-compose up'd the server and configured it. I
| don't know when you last needed to mess with it, but the
| containerised version seems quite easy.
|
| Configuration sucked, but that's because Keycloak can do an
| awful lot.
| ownagefool wrote:
| Whilst I agree keycloak is a lil clunky, I had it working
| clustered in k8s ~8 years ago.
|
| I do recall the gossip protocol presenting problems back then,
| but now I believe the helm chart just works.
___________________________________________________________________
(page generated 2023-06-18 23:00 UTC)