A Quick Guide to Using Keycloak for Identity and Access Management

02 Aug, 2018
Xebia Background Header Wave

In this blog we will share how to use Keycloak for Identity and Access Management. but first here are some Frequently asked questions about Keycloak.

What is Keycloak?

Keycloak is an open source Identity and Access Management tool with features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console. It simplifies the process of adding authentication to applications and securing services with minimum effort, highlighting the importance of access management add authentication and secure services. Keycloak plays a crucial role in helping authenticate users across different applications, ensuring a seamless and secure user experience.

Is Keycloak free?

Yes, Keycloak is free. As the Keycloak server is open-source and has Apache License 2.0, it stands out for its extensive capabilities in the configuration and management of identity and access management solutions.

IAM(Identity Access Management)

IAM or IdM (Identity Management) is a framework used to authenticate the user identity and privileges. It checks whether the users have access to necessary files, networks and other resources that the user has requested. It also checks how and by whom the information can be accessed and modified by the management of descriptive information of users. IAM systems provide tools and  some technologies to the administrators to change a user’s role, keeping track on user activities etc.

Identity Management has four main basic functions:

  1. The pure identity function: Without regard to access or entitlements for identity creation, management, and deletion.
  2. The user access(log-on) function: For example, to log-on to a service or services(a traditional view) the customer uses a smart card and its associated data.
  3. The service function: For user and their devices a system delivers personalized, role-based, online, on-demand, multimedia(content) and presence-based services.
  4. Identity Federation: To authenticate a user without knowing his/her password can be done by a system using federated identity.

Single Sign-On and User Management

Single sign-on (SSO) is a property of access control for multiple related and independent software systems where user login with single ID and password to gain access to a connected system/s without different usernames or passwords. SSO is typically accomplished on Lightweight Directory Access Protocol(LDAP) and stored LDAP databases on (directory) servers, an SSO can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.

Shared authentication schemes include OAuth, OpenID, OpenID Connect and Facebook Connect. All the authentication schemes which we are using need user to log in their credentials every time they access a site or application, but we no need to get confused with SSO, in this single sign-on is enough to sign into different applications. By using SSO users can enter their credentials once but always when they are signed.

Benefits of using SSO

  1. Reduce risk for 3rd party sites to access.
  2. Reduce password debility from the different username and password combinations.
  3. Reduce time spent for re-entering passwords for the same identity.
  4. Reduce IT help desk calls for passwords, therefore, IT costs are also reduced.

Keycloak Authorization

Keycloak Authorization Services is a pivotal feature that enables fine-grained authorization policies, enhancing Keycloak’s open source identity and access management solution. This service facilitates the implementation of detailed access control mechanisms, including attribute-based access control (ABAC) and role-based access control (RBAC), to manage permissions and authorization for applications and services comprehensively. Users can authenticate with Keycloak rather than individual applications, eliminating the need for applications to handle login forms, authenticate users, and store user information.

Once logged-in to Keycloak, users don’t have to login again to access different applications, and the same convenience applies to signing out. Keycloak offers everything a sophisticated user management tool needs – without having to log on repeatedly with every login and into every system – as well as system security, social logins, support for mobile apps, and integration into other solutions. Additionally, Keycloak grants access to resources based on the default configuration, policy, and permissions, streamlining the authorization process across different applications. Keycloak has implementations for LDAP and Active Directory as well.

Password Policies

Each new realm created has no password policies associated with it while users can create as short, as long, as complex, as insecure a password, as they want. Simple settings are fine for development or learning Keycloak, but unacceptable in production environments.

OTP to Authenticate Users

Keycloak has a number of policies you can set up for your FreeOTP or Google Authenticator One-Time Password generator. There are two types:

  1. TOTP(Time based OTP)
  2. HOTP(Counter based OTP)

Client Certificate

  • A client authentication certificate is a certificate used to authenticate clients during an SSL handshake, users who access a server by exchanging the client authentication certificate. A client certificate would typically contain pertinent information like a digital signature, expiration date, name of client, name of CA (Certificate Authority), revocation status, SSL/TLS version number, serial number, and possibly more, all structured using the X.509 standard.
  • Very popular web browsers like Firefox, Chrome, Safari, and Internet Explorer can readily support client certificates. To integrate an application with Keycloak, it’s essential to configure Keycloak settings for new clients, which involves the process to toggle client authentication. This enables or disables client authentication and authorization, defines the authentication flow, and sets login paths.
  • If an application is enabled with client certificate authentication, only users who attempt to connect from clients loaded with the right client certificates will succeed. Even if a legitimate user attempts to connect with the right username and password, if that user isn’t on a client application loaded with the right client certificate, that user will not be granted access.
  • In fact, if that user’s connecting from a Web browser, the login page (where he’s supposed to enter his username and password) might not even load at all like the one shown below.
  • A server certificate is sent from the server to the client at the start of a session and is used by the client to authenticate the server. A client certificate, on the other hand, is sent from the client to the server at the start of a session and is used by the server to authenticate the client.

Keycloak Admin Console Working Procedure

On a complete system secured with keycloak:
A user clicks from a public page to navigate to protected area within the application. The link to this protected area is in the application settings in keycloak admin console.

  • The user will be redirected indeed to the keycloak authentication page. After providing username and password, keycloak redirects the user back to the application again with a code that is valid to a very short span of time.
  • The application communicates this code to keycloak along with the application ID and the application secret, then keycloak replies with the Access token, ID token, and a Refresh token. Your application will need only one of these tokens to see which claims the user has, and according to the claims, the user will be granted or denied access to the requested protected URL(s).

Keycloak Working Procedure

Keycloak With OpenID Connect (OIDC)

OIDC is an authentication protocol that is an extension of OAuth 2.0. OAuth 3.0 is only a framework for building authorisation protocols, but OIDC is a full-fledged authentication and authorisation protocol. OIDC authentication flow when integrated with keycloak:

  • Browser visits application. The application notices the user is not logged in, so it redirects the browser to keycloak to be authenticated. The application passes along a call-back URL(a redirect URL) as a query parameter in this browser redirect that keycloak will use when it finishes authentication.
  • Keycloak authenticates the user and creates a one-time, very short lived, temporary code. Keycloak redirects back to the application using the call-back URL provided earlier and additionally adds the temporary code as a query parameter in the call-back URL.

The application extracts the temporary code and makes a background out of band REST invocation to keycloak to exchange the code for an identity, access and refresh token. Once this temporary code has been used to obtain the tokens, it can never be used again. This prevents potential replay attacks.

Keycloak With OpenID Connect

The tools that we require are mentioned below:
Operating systems: Windows, Docker
Tools: Maven
Single-Sign-On: Keycloak
Development environments: Eclipse
Programming Language : Java

Integrating multiple applications with keycloak

  1. Add docker-compose.yml file and save it in a folder.


Add keycloak and spring-boot dependencies.

spring-boot dependencies file to your project.

Create file. file

Open command prompt and run docker-compose up to run keycloak.

docker-compose up

Open browser and enter the keycloak url. Click on Administration Console.

keycloak url

Default username and password is ‘admin’ , ‘admin’.

username and password

Click on Add Realm. Give a name to the realm.

Add Realm

Add a client.

Add a client.

Give the URL path of your application in valid redirect URL .

URL path of your application

Add role.

Add role.

Add user.

Add user.

Go to credentials tab and reset password by giving new password.

credentials tab and reset password

Go to role mappings tab and add a role to the user.

role mappings tab

create another applicationSimilarly create another application and add all the necessary files. In keycloak we will use the same realm but we need to add new client, role and user.

Now run two applications

two applications

Open browser enter the url for first application.

first application

When I click on products button, it will redirect to keycloak. Give username and password.

redirect to keycloak

Now you will be redirected to the application.

redirected to the application

Now open another tab and give the URL for another application. You will be redirected to the application without going to the keycloak login screen.

redirected to the application

OTP markWe will add an authentication method i.e. OTP. Go to authentication-flows-direct grant, at OTP mark it to required.

authentication-flows-direct grant

In browser flow mark OTP to required.

mark OTP

In OTP policy you can see the hash algorithms, time period etc.

hash algorithms

You need to install FreeOTP application or Google Authenticator application on your mobile.

Now re-run keycloak, open browser and give a URL. After keycloak login page you will be redirected to this screen

FreeOTP application

Now scan the barcode with the application that you have installed on your mobile and enter the OTP.

You will be redirected to your application.



coMakeIT, a software product engineering company. We accelerate product innovation, modernize aging applications, and productize best practices into new software IP.

Get in touch with us to learn more about the subject and related solutions

Explore related posts