Keycloak VS caddy-auth-portal

For Authentication and Authorization, I use FreeIPA for LDAP and Keycloak for OAuth2/OpenID Connect. The FreeIPA client automatically pulls my public SSH key into whichever server I sign in to, so I never need to enter my password from my primary PC.

In the end, I developed a stack that I liked and re-used across multiple projects, which consisted (mostly) of Postgres, Hasura, Nest.js, Keycloak, and Next.js or Expo. More recently I've started moving away from Keycloak towards Ory Kratos/Oathkeeper. In certain cases, I also deployed AppSmith and Metabase and I considered tools like Meilisearch in a couple instances.

It depends on what context you're operating in. The reality is that most people don't fully understand authentication / authorization properly so they often mess up. When you have a small team of engineers that are spread very thin, it might be better to delegate this responsibility. If you have the time and resources to study the topic in depth and implement it properly then it's fine. It's just not that interesting of an area since the space for innovation and creativity is limited, and since the major problems have already been reliably solved by others at best you end up with an equivalent outcome and at worst you end up with security issues.

If you're operating within an enterprise context, Keycloak [0] is pretty massive but provides comprehensive coverage for all authN and authZ needs, and it's open source.

Back when I first started studying this topic I found that reading through a lot of NIST guidelines was helpful. I'd recommend at least browsing through SP 800-63-3 [1], SP 800-63A, SP 800-63B, SP 800-63C to get a good idea of the domain. Admittedly, this might be a lot of overkill for your application and needs.

[0] https://www.keycloak.org/

About Desktop OAuth protocol, you could try doing something as a "localhost" server... like Keycloak's (an IAM provider) folk did here: https://github.com/keycloak/keycloak/tree/main/adapters/oidc/installed

Caddy Auth Portal. Also has the advantage of providing unified secure 2FA.

I am very happy with the this caddy extension: https://github.com/greenpau/caddy-auth-portal.

Sorts this precise use case for me, need for common login provider. Without the banality of basic auth.

After dabbling with Caddy's auth-portal, nginx Vouch proxy, Keycloak and Authelia I found Authentik.

I'm trying to migrate from Nginx to the simpler Caddy and am looking for an auth-request replacement. The Caddy auth-portal looks perfect, it even has local user management. I might spin it up in Docker.

Usually with this plugin: https://github.com/greenpau/caddy-auth-portal

There’s caddy-auth-portal which I’ve not used myself, but heard good things about.

I hope this post helps setting up your SSO with Caddy. I'd highly recommend trying it out if you find yourself always needing to authenticate with different services on your domain – and check out caddy-auth-portal's docs for even more advanced features!

This sounds like an XY Problem. It sounds like you're missing a good IAP solution to deal with access controls. Something like oauth2_proxy, Keycloak, Pomerium, etc. Hell, I've even set up a basic IAP with Caddy and Oauth Portal.

Have you looked at caddy-auth-portal