Is keycloak the right option for me?

Looking for advice:

I am interested in keycloak because I want an authn&authz server that can be safely accessed from the internet for a small number of users. It will provide services to exim (smtp), dovecot & roundcube, and potentially several websites. I am however not familiar with all the concepts and terminology in this area.

I can see that keycloak has features to store user credentials and implement authorization. However I am a lot less clear how I would connect it to dovecot, exim or a website without a lot of development work.

Am I using a screwdriver to hit a nail?

[Both dovecot and exim have auth functions including sql access and IIRC ldap. Currently I am using a mysql table for this.]

1 Like

It’s worthwhile reading up on OpenID Connect, and the Keycloak Securing Applications and Services Guide

In general, Keycloak is a great tool for authentication (and in some cases authorization) for a number of applications. However, the issue is whether or not the applications you need to secure will lend themselves to protection with OpenID Connect (or in some cases SAML). If not, as you have observed, there might be a lot of development work involved.


Similar query from me for dovecot and exim.
Is there any (positive or negative) experience within the community of using Keycloak to provide 2FA for users of exim and dovecot?
Example client software is Alpine, Thunderbird and K9Mail.
Thank you.

While there is xoauth2, to provide login capabilities via dovecot, the userdb won’t work that way, so you’ll still need some other means to provide a list of managed users/mail addresses.

Also, the xoauth2 support situation isn’t great. K9Mail, Roundcube and Thunderbird all support it in theory (thanks to google, microsoft and co pushing for it), but support for individual providers is difficult.
I currently only watch thunderbird, but the situation is bleak. Adding your own provider won’t work without code changes and the devs haven’t shown any interest so far to implement the corresponding autodiscovery rfc.

Thank you, @ThoreKr. My main motivation is that even high-entropy passwords over TLS are increasingly insufficient for auditors, so finding some way to enhance SMTP and IMAP for exim and dovecot with MFA via something like Keycloak is a possible way forward. Either that or just give up on anything other than webmail…
I’ll try to find time to set up some test environments.