Does Keycloak meet my requirements? (Social oauth, email auth, SSO multi domain)

Hello everyone,

I know how authentication systems work overall. However, it gets really complex for me when I want to integrate single sign-on for my different apps from different domains, including social login and email login.

So I come to you to clear my mind, to find out if my following expectations can be met with keycloak , and to get the right documentation place to get head :slight_smile:

In detail, I have my paradise would have these features:

  • User can login with oauth social (google, apple, twitter, …)
  • User can login with email address
  • User just need to login once and get access to all different apps on different domains (websites, mobile app, app, …)
  • Send emails (greeting, password recovery and others related to authentication) with a dedicated template for each application.
  • Define user roles dedicated to the application or for all applications
  • Provide private API access via API key and API secret (HMAC authentication) for some domaine
  • Add two-factor authentication for certain accesses.

I don’t believe in Santa Claus except when I’m good, so I’m fine if some of my prerogatives aren’t satisfactory.

And is it complex to setup all that features ? Am I gonna pass the rest of the year trying to setup it ?

Thank you so much :slight_smile:

Well, ho ho ho, I think today just might be Christmas for you.

All of the items provided on your list are available in Keycloak except “Provide private API access…”

In general, the things you have listed are pretty easy to configure. Documentation for most of it can be found in these two places:
This forum is a good place to get answers to configuration questions. Try it yourself, post some detail on what’s going wrong, and you’ll likely get a helpful answer here.

Regarding the “Provide private API access…” feature, can you elaborate a bit? Keycloak has an extensive admin API, but the authentication isn’t “via API key and API secret (HMAC authentication)” but via client ID and secret. Documentation on that API is here:

1 Like


I’m really enthusiastic about keycloak.
Indeed, I did some tests with the docker container and configured a nodejs js server to serve static html/js files and an public/private API access.
Currently the client browser authenticates itslef directly to the keycloak server and it works like a charm => Keycloak looks neat! :smiley:

However, I’m a bit confiuse about auth flow and configuration for my different clients and this is also related to the “private API access” I was talking about. Let me explain…

  • Keycloak server is running under the sub domaine auth.domain.a.
  • The nodejs servers js static files and API from domain.a.
  • Js scripts from client browser talk directly with auth.domain.a to log user in via keycloak.js (Email and Identity provider auth) by using OpenId connect protocol and need to perform some requests to restricted API endpoint to domain.a
  • Some client backend API, that I dont know which technology they using and it’s not an issue, must perform some requests to restricted API as well to domain.a.
  • Some websites from domain.x must request some auth to auth.domain.a to be logged in to *.domain.x and *.domain.a (SSO) but this is not the subject for today :slight_smile:

Two things here (client browsers and external client backend API):

I’m trying to figure out how nodejs server running under domain.a could verify if the client browser is logged in to auth.domain.a to restrict access to some API endpoints at domain.a, and here are the questions that come to mind:

  • What authentication data should the client browser provide to the nodejs API server (JWT access token?).
  • Should nodejs talk to keycloak via keycloak admin API to verify access token?
  • Does nodejs act as a registered client for keycloak?
  • What authentication protocol should I configure for keycloak’s nodejs client to elucidate this use case in general?

And to finish,

  • Which auth protocol should I use to restrict nodejs API endpoint from domain.a, not for client browser this time but for external client API ?
    I think the common way to secure API it’s to provide them an API key and API secret, but which auth protocol should be underneath?

It’s quite a lot of question :stuck_out_tongue: and it’s showing my knot bag that’s in my head when thinking about auth :sweat_smile: