Is Keycloak overkill for our use case?

The concise ask is:

  • Is Keycloak appropriate to use as the foundation for Authentication and Authorization with user-configurable integration with various Enterprise SSO platforms for a containerized free software Java-based web application?

The full story:
We have an n-tier Java web application that was initially built with a very barebones in-house authentication provider. Some time ago we switched to using apereo CAS with the expectation that we might be providing identity to a number of services with our application as the identity source. Requirements have since changed and our application is now delivered and installed in a more typical “deploy on premise and integrate with existing enterprise SSO” fashion. CAS is too heavy for this, and it seems to really be meant to be the identity provider/base for SSO of multiple consumers. The file-based configuration is difficult, and the documentation has been tough for us to follow when things don’t go exactly as planned.

Our challenge is now deciding which security library or identity and access management tool to use. Our product is free software and often deployed in environments without external connectivity so we’re not interested in auth0/okta type approaches, other cloud providers, or social logins.

We’re leaning towards one of two approaches:

  • The more difficult approach is finding various SSO integration libraries, possibly using Pac4J, rolling our own UI for common SSO configurations like Azure AD/Office 365, Ping, and ADFS. Then we’d be building out something to handle AD grants and groups for determining Authorization to protected resources.

  • The preferred approach is finding a tool/service that we can distribute with our application that helps us solve some parts of user management and SSO configuration.

From our research so far Keycloak seems to fit the bill well for the latter. I’m just trying to make sure I’m understanding correctly and we would not be misusing it or distributing something overly heavy for what we’re looking to do.

I am not 100% sure as I don’t know all the requirements of your
use-cases etc. But from what you mentioned, the Keycloak might be good
fit for you. If I were you, I would surely try to investigate Keycloak a
bit deeper. I suggest to take a look at the Keycloak Getting Started
guide and then possibly continue with some Keycloak quickstarts or more
advanced documentation. This may show you if Keycloak is ideal or not
for your deployment.

Marek

1 Like