OpenID Connect is a specification for a auth protocol framework.
Keycloak is an SSO solution that is implemented on top of a auth
protocol framework. That being said...
OpenID Connect is an OAuth 2.0 extension. We are currently in the
process of providing minimal required support for OpenID Connect which
will allow us to claim we are an OpenID Connect provider. This was
actually very easy to do as Keycloak was already an OAuth 2.0 extension
and were already using JWT, JWE, and JWS! We will implement additional
optional pieces of OpenID Connect that seem like a good fit for Keycloak
as time goes on too.
OpenID Connect nor OAuth 2.0 define an Access Token format, so, we have
our own based on JWT. We added additional claims that specify role
mappings. Other extensions we have are an client REST API so that the
Keycloak server can do a remote logout, gather session stats, or push a
revocation policy. We might also piggyback additional information like
revocation policies with AccessTokenResponses. All legal and allowed in
the OpenID Connect specification.
On 2/27/2014 10:42 PM, J Coder wrote:
After spending some time reading about keycloak and the open id
connect
specification (seems that it was just finalized yesterday), I am getting
the impression that keycloak and open id connect are competing
technologies. They seem very similar in implementation since they are
both build on top of OAuth 2 and JWT, while solving a similar problem,
which is that OAuth 2 on it's own is an authorization framework and not
an authentication mechanism.
My assumptions could very well be incorrect, as I haven't spent enough
time digging into both offerings to assert the above with any sort of
certainty.
Bill (et al), would you kindly address my concerns as outlined above and
perhaps explain why they are or aren't competing technologies, how they
may compliment each other or how they could be used together in either
an enterprise (closed environment) or web (open social environment) setting?
Thanks a lot for your time.
J
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com