Keycloak – Open-Source Identity and Access Management Interview

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • Onboard AI - ChatGPT with full context of any GitHub repo.
  • WorkOS - The modern API for authentication & user identity.
  • zitadel

    ZITADEL - The best of Auth0 and Keycloak combined. Built for the serverless era.

    When I was building a website and companion app, I researched a lot of the open-source options for auth. My primary requirement was ease of setup and operation. I didn't want to mess around with JVM dependencies and 100% didn't want to start messing around with k8s for such a small project.

    I was also very intimidated by the ORY stack. I didn't know how all the pieces fit together. And to self-host you pretty much need to run and orchestrate it on k8s. I'm not an auth expert, I just want a login thingy for my website/app.

    I'm not affiliated with it in any way, but I really liked what ZITADEL[1] is doing, in case anyone else is researching their options. It has a very simple interface to get started with, but also a ton of features. It being written in Go is a huge benefit since that makes it much easier for me to throw it up on my vps and calling it a day.

    1. https://zitadel.com/

  • Keycloak

    Open Source Identity and Access Management For Modern Applications and Services

    Sure, you can treat the access token as an opaque token... but at the end of the day it could be a lot smaller.

    Discussed here https://github.com/keycloak/keycloak/discussions/9713 and https://stackoverflow.com/questions/75082532/keycloak-suppor...

    We also experience a few front-end issues, like when a token expires, the browser tab goes back to the login page. If you leave the tab a while then press login, the token it is using will have expired. Rather than automatically retrieving a new token and posting the login again, the user gets an error message and has to authenticate again.

    If you have two tabs in that state, you log one back in, switch to the other tab, if you refresh that tab, all is well, login proceeds automatically. If you press "login" instead, you get an error page telling you "already logged in" rather than just redirecting you back to the app... it also loses the redirect url so you have to press "back" instead.

    Will see if we can fix these when we have time, it would be nice to contribute back.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • authentik

    The authentication glue you need.

    We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.

    For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.

    Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.

  • typescript

    Typescript packages and application to showcase the ZITADEL resource API (by zitadel)

  • authelia

    The Single Sign-On Multi-Factor portal for web apps

    We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.

    For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.

    Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.

  • casbin

    An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

    Looking at your username, it would be nice to mention that you are one of the main developers behind the tool instead of making it sound like you are unrelated: https://github.com/casbin/casbin/graphs/contributors https://github.com/casdoor/casdoor/graphs/contributors

  • lldap

    Light LDAP implementation

    I tried Keycloak for my homelab, but I found the ressource usage especially on startup to be too high (3 GB memory or something) and since I wanted minimal sever footprint I went with lldap[1] as the user store and authelia[2] to do forward auth using traefik.

    Pretty happy with this setup, though it has less features than Keycloak, it's easier to administrate from code.

    [1] https://github.com/lldap/lldap

  • Onboard AI

    ChatGPT with full context of any GitHub repo. Onboard AI learns any GitHub repo in minutes and lets you chat with it to locate functionality, understand different parts, and generate new code. Use it for free at app.getonboardai.com.

  • dex

    OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors

    We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.

    For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.

    Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.

  • terraform-provider-keycloak

    Terraform provider for Keycloak

    The Terraform provider[1] unfortunately is 3rd party and as such doesn't bring and guarantees of correctness other than that of the maintainer. It would be nice to see Keycloak provide an official solution for configuration management other than the K8s operator which is missing a lot of features.

    [1] https://github.com/mrparkers/terraform-provider-keycloak

  • keycloak-clojure

    A Clojure library helping the integration of Keycloak with a Clojure Application + a sample SPA Client and API Server demonstrating the Keycloak integration

    I use Keycloak a lot for authentication and authorisation and I like its flexibility and richness of features.

    Running it in production is a no-brainer, the only problem we got was some bad behaviours of some clients that issue a token for every API call as it can put some stress on Keycloak, has to implements some rate limiting in front ok Keycloak to avoid that.

    I try to ease its usage with Clojure with https://github.com/jgrodziski/keycloak-clojure

  • private_server

    This is the configuration for my private server, with the intention of never having to use manual SSH.

    Also just for learning.

    2. You can see the services here[1], since my entire setup is provisioned from GitHub with Terraform and Ansible.

    3. I have about 5 users.

    4. I would say simplify so far, but it depends on what kind of complexity you care about, and which services you want to integrate.

    [1] https://github.com/RedlineTriad/private_server/tree/master/s...

  • nginx-openid-connect

    Reference implementation of OpenID Connect integration for NGINX Plus

    > With both Apache and Nginx you can let the web server do all the OpenID Connect work for you for paths you specify.

    Seems like at least the official nginx solution for this requires their paid subscription: https://github.com/nginxinc/nginx-openid-connect

    Got any tips for how to do it with their open-source solution?

  • casdoor

    An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA and RADIUS [Moved to: https://github.com/casdoor/casdoor]

    Looking at your username, it would be nice to mention that you are one of the main developers behind the tool instead of making it sound like you are unrelated: https://github.com/casbin/casbin/graphs/contributors https://github.com/casdoor/casdoor/graphs/contributors

  • lua-resty-openidc

    OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty

    There's an nginx Lua build that can do it on nginx through a Lua module: https://github.com/zmartzone/lua-resty-openidc

    Apache is a lot easier to configure, though.

  • keycloak-config-cli

    Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.

    > But it is painful share the setup with other engineers.

    We used keycloak-config-cli [1] it compares a config file stripped of IDs to your Keycloak installation and makes the relevant updates through the REST API.

    [1] https://github.com/adorsys/keycloak-config-cli

  • WorkOS

    The modern API for authentication & user identity. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts