Keycloak VS authelia

For Authentication and Authorization, I use FreeIPA for LDAP and Keycloak for OAuth2/OpenID Connect. The FreeIPA client automatically pulls my public SSH key into whichever server I sign in to, so I never need to enter my password from my primary PC.

In the end, I developed a stack that I liked and re-used across multiple projects, which consisted (mostly) of Postgres, Hasura, Nest.js, Keycloak, and Next.js or Expo. More recently I've started moving away from Keycloak towards Ory Kratos/Oathkeeper. In certain cases, I also deployed AppSmith and Metabase and I considered tools like Meilisearch in a couple instances.

It depends on what context you're operating in. The reality is that most people don't fully understand authentication / authorization properly so they often mess up. When you have a small team of engineers that are spread very thin, it might be better to delegate this responsibility. If you have the time and resources to study the topic in depth and implement it properly then it's fine. It's just not that interesting of an area since the space for innovation and creativity is limited, and since the major problems have already been reliably solved by others at best you end up with an equivalent outcome and at worst you end up with security issues.

If you're operating within an enterprise context, Keycloak [0] is pretty massive but provides comprehensive coverage for all authN and authZ needs, and it's open source.

Back when I first started studying this topic I found that reading through a lot of NIST guidelines was helpful. I'd recommend at least browsing through SP 800-63-3 [1], SP 800-63A, SP 800-63B, SP 800-63C to get a good idea of the domain. Admittedly, this might be a lot of overkill for your application and needs.

[0] https://www.keycloak.org/

About Desktop OAuth protocol, you could try doing something as a "localhost" server... like Keycloak's (an IAM provider) folk did here: https://github.com/keycloak/keycloak/tree/main/adapters/oidc/installed

Use Authelia or SWAG

Authelia will let you do that

Some important services for me: 1. Wireguard: I have bypass rules in Authelia since I’m too lazy to login to my services. Wireguard also provides adblock on-the-go. 2. Samba server: use to transfer files between iPhone/iPad/laptop. Didn’t expect I’m depending on it too much. 3. Webtop: aka my lite/fake VM. I mounted my data directory to this container, mostly use it when i need GUI to move/edit files on my server. Accessible through web browser or RDP protocol. 4. Diversion: adblock on Asus router. Easy to setup adblock with vpn. Also no need to setup 2 Adblock instances. Another advantage, asus router can force all dns queries through this, bypass hard coded dns on some devices. 5. Cockpit with file sharing plugin: easily manage samba/nfs share

It was a bug from Authelia side and they just fixed it https://github.com/authelia/authelia/pull/4410

The SSO part is handled by Authelia, which integrates seamlessly with LLDAP (https://github.com/nitnelave/lldap/blob/main/example\_configs/authelia\_config.yml).

Do you have experience with https://github.com/authelia/authelia ?