|7 months ago||4 days ago|
|-||Apache License 2.0|
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
We haven't tracked posts mentioning keycloak-theme-sample yet.
Tracking mentions began in Dec 2020.
JDK 21 Release Notes
6 projects | news.ycombinator.com | 19 Sep 2023
> Where's Java primarily used these days?
I've seen a lot of enterprise-y webdev projects use it for back end stuff (Dropwizard, Spring Boot, Vert.X, Quarkus) and in rare cases even front end (like Vaadin or JSF/PrimeFaces). The IDEs are pretty great, especially the ones by JetBrains, the tooling is pretty mature and boring, the performance is really good (memory usage aside) and the language itself is... okay.
Curiously, I wanted to run my own server for OIDC/OAuth2 authn/authz and to have common features like registration, password resets and social login available to me out of the box, for which I chose Keycloak: https://www.keycloak.org/
Surprise surprise, it's running Java under the hood. I wanted to integrate some of my services with their admin API, seems like the Java library is also updated pretty frequently: https://mvnrepository.com/artifact/org.keycloak/keycloak-adm... whereas ones I found for .NET feel like they're stagnating more: https://www.nuget.org/packages?q=keycloak (probably not a dealbreaker, though)
Then, I wanted to run an APM stack with Apache Skywalking (simpler to self-host than Sentry), which also turns out to be a Java app under the hood: https://skywalking.apache.org/
Also you occasionally see like bank auth libraries or e-signing libraries be offered in Java as well first and foremost, at least in my country (maybe PHP sometimes): https://www.eparaksts.lv/en/for_developers/Java_libraries and their app for getting certificates from the government issued eID cards also runs off of Java.
So while Java isn't exactly "hot" tech, it's used all over the place: even in some game engines, like jMonkeyEngine, or in infrastructure code where something like Go might actually be more comfortable to use.
We built the fastest CI in the world. It failed
11 projects | news.ycombinator.com | 12 Sep 2023
Their reply is not SSO, it's some toy alternative they're proposing that none of your customers would accept (like saying "Dropbox is just rsync")
SSO is hairy enough that you can't write it from scratch in any reasonable amount of time for what a typical SaaS needs.
There's OSS SSO you can host yourself that supports enterprise : https://www.keycloak.org/
If you're B2C Firebase Auth is cheap, and doesn't actually require hosting on Firebase
Request Level Authentication and Authorization with Istio and Keycloak
4 projects | dev.to | 17 Jul 2023
Keycloak is an open source authentication service provider and identity and access management tool that lets you add authentication and authorization to applications. It provides all the native authentication features including user federation, SSO, OIDC, user management, and fine-grained authorization.
Is anyone using Quarkus for monoithic, full-stack web apps?
6 projects | /r/java | 21 Jun 2023
KeyCloak is a massive monolith, lots of authentiation and authorisation methods, multiple DBs supported, liquibase, embedded distributed caches using inifnispan (hotrod), server side rendered frontend... it's running on Quarkus. I've been working on it for around 2 years now. It would be hard for me to go back to Spring-Boot, much prefer Quarkus, even when working on monoliths. Isn't that what you asked about? https://www.keycloak.org/
Keycloak – Open-Source Identity and Access Management Interview
Disclosure: I work for FusionAuth.
We've had a number of folks migrate from Keycloak due to some of this clunkiness, but I do know they've done some major overhauls recently (moving to Quarkus amongst other things).
It also used to be super resource intensive if you have a large number of realms (which is what Keycloak calls tenants and Cognito calls user pools). From this 2022 link, more than 100-200 can cause issues: https://github.com/keycloak/keycloak/discussions/11074
Sure, you can treat the access token as an opaque token... but at the end of the day it could be a lot smaller.
We also experience a few front-end issues, like when a token expires, the browser tab goes back to the login page. If you leave the tab a while then press login, the token it is using will have expired. Rather than automatically retrieving a new token and posting the login again, the user gets an error message and has to authenticate again.
If you have two tabs in that state, you log one back in, switch to the other tab, if you refresh that tab, all is well, login proceeds automatically. If you press "login" instead, you get an error page telling you "already logged in" rather than just redirecting you back to the app... it also loses the redirect url so you have to press "back" instead.
Will see if we can fix these when we have time, it would be nice to contribute back.
Unfortunately, Keycloak currently fails to properly scale for a large-ish (a couple of hundred) number of realms, which can be an issue for use cases with a large number of tenants (as not unusual in a B2B setting): https://github.com/keycloak/keycloak/discussions/11074
This leads among other things to the Admin UI becoming basically unusable: https://github.com/keycloak/keycloak/issues/20453
We currently have to implement a workaround where we create multiple Keycloak clusters and will have to write some glue to manually route to the correct one based on the realm, but that seems like unnecessary overhead.
Wait, what server information leakage are we talking about? I didn't think keycloak leaked `x-powered-by`, and there's discussion in their repo that shows they understand the concern. All software can be fingerprinted (if not then it has no user visible behavioral differences). Making it trivial to fingerprint a server isn't a good idea, but avoiding it entirely doesn't make sense.
Was there a specific trivial information leakage you were worried about?
what do you use for authentication for apis?
2 projects | /r/node | 9 Jun 2023
JWT with custom defined users or keycloak
Keycloak vs. Authentik vs. Authelia, help choose SSO
10 projects | /r/selfhosted | 25 May 2023
Some random example: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtector.java
What are some alternatives?
authelia - The Single Sign-On Multi-Factor portal for web apps
Apache Shiro - Apache Shiro
OPA (Open Policy Agent) - An open source, general-purpose policy engine.
authentik - The authentication glue you need.
IdentityServer - The most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core
Spring Security - Spring Security
Ory Kratos - Next-gen identity server (think Auth0, Okta, Firebase) with Ory-hardened authentication, PassKeys, MFA, FIDO2, TOTP, WebAuthn, profile management, identity schemas, social sign in, registration, account recovery, passwordless. Golang, headless, API-only - without templating or theming headaches. Available as a cloud service.
FreeIPA - Mirror of FreeIPA, an integrated security information management solution
Vault - A tool for secrets management, encryption as a service, and privileged access management
caddy-auth-portal - Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA with App Authenticators and Yubico.
oauth2-proxy - A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
jCasbin - An authorization library that supports access control models like ACL, RBAC, ABAC in Java