[keycloak-user] keycloak and open id connect

Bill Burke bburke at redhat.com
Fri Feb 28 08:58:42 EST 2014 

OpenID Connect is a specification for a auth protocol framework. 
Keycloak is an SSO solution that is implemented on top of a auth 
protocol framework.  That being said...

OpenID Connect is an OAuth 2.0 extension.  We are currently in the 
process of providing minimal required support for OpenID Connect which 
will allow us to claim we are an OpenID Connect provider.  This was 
actually very easy to do as Keycloak was already an OAuth 2.0 extension 
and were already using JWT, JWE, and JWS!  We will implement additional 
optional pieces of OpenID Connect that seem like a good fit for Keycloak 
as time goes on too.

OpenID Connect nor OAuth 2.0 define an Access Token format, so, we have 
our own based on JWT.  We added additional claims that specify role 
mappings.  Other extensions we have are an client REST API so that the 
Keycloak server can do a remote logout, gather session stats, or push a 
revocation policy.  We might also piggyback additional information like 
revocation policies with AccessTokenResponses.  All legal and allowed in 
the OpenID Connect specification.


On 2/27/2014 10:42 PM, J Coder wrote:
> After spending some time reading about keycloak and the open id connect
> specification (seems that it was just finalized yesterday), I am getting
> the impression that keycloak and open id connect are competing
> technologies. They seem very similar in implementation since they are
> both build on top of OAuth 2 and JWT, while solving a similar problem,
> which is that OAuth 2 on it's own is an authorization framework and not
> an authentication mechanism.
>
> My assumptions could very well be incorrect, as I haven't spent enough
> time digging into both offerings to assert the above with any sort of
> certainty.
>
> Bill (et al), would you kindly address my concerns as outlined above and
> perhaps explain why they are or aren't competing technologies, how they
> may compliment each other or how they could be used together in either
> an enterprise (closed environment) or web (open social environment) setting?
>
> Thanks a lot for your time.
>
> J
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list