Keycloak is an open-source tool that makes it easier to enhance the security of your application. We can think of it as a user authentication and access management application. Typically, this application aims to authenticate the identity of a user or system requesting access to your environment and evaluates a set of rules that determine the roles and resources that the user or system has access to.
Keycloak performs the following in two separate steps:
- Identity Management
- Access Management
Access management relies on a identity provider to authenticate the user and matches their identity with what they can do in an environment. For example, when a user with the super admin role logs into the system, the identity management step takes place first, followed by the access management step to match their permissions. The key concepts you will encounter in Keycloak are Realm, Client, Role, Group, and User. In fact, the entire system is built upon these entities.
Let’s briefly explain what these concepts are:
Realm: It is a concept that represents an organization that manages a set of users along with their identity information, roles, and groups.
Client: These are entities that can make requests to Keycloak to authenticate a user’s identity. We can think of it as multiple different clients entrusting Keycloak with the task of authentication and authorization.
Keycloak, having a comprehensive REST API, can be configured with spring-security in Java projects. The purpose of Keycloak is to simplify security and ensure the protection of applications and services implemented by application developers in their organizations. Keycloak also provides support for OAuth 2.0 and SAML.
What is OAuth2? OAuth 2.0, which stands for “Open Authorization,” is a standard designed to allow a website or application to access services hosted by other web applications on behalf of a user. OAuth is a protocol intended for application authorization, not user authentication. In the context of Keycloak’s client-realm relationships, understanding application authorization becomes more apparent.