Hi all,
i am doing a research on adoption of Keycloak.
Background - my company is a healthcare company (managed many hospitals
and offer 24x7x365 business) that run hundreds of in-house developed
systems, as well as acquire some 3rd party products.
Currently, for the in-house developed systems, they have their own
authentication/authorization mechanism, mostly:
1. user credentials & attributes stored in DB
2. active directory for authentication and DB for user attributes
There are dedicate support for maintenance and support of each system
and, when downtime is required, support will liaise with users to arrange
for downtime. There won't be a period that all systems can down for
maintenance.
To reduce repeated effort spent on authentication and authorization of
each systems, i am checking whether we can adopt Keycloak to help,
especially on:
1. OpenID Connect 1.0 + JWT (to achieve single sign on in the future)
2. OAuth 2.0 (password grant) + JWT (seems be a good path for legacy app
migration)
3. SAML2/Kerberos [mainly for backward compatibility / integration with
other party]
My concern on Keycloak adoption are:
1. Do Keycloak are flexible enough to extend to cater for different
authentication requirement? we will definitely requested to support custom
or standard authentication (e.g. specialized login form, FIDO2, RSA
hardware token, trust device check...etc).
Though there is a developer guide, but i found there is not much
information about:
1. Keycloak internal architecture or login/system flow which is useful
for developer to know more about how to extend Keycloak
2. how to create a custom login form (the keycloak theme is not suitable
for internal use, i want to write my own login form)
2. For high availability, in my company, the Keycloak service need at
least deployed to 2 or more datacenters, can you share your experience of
Keycloak high availability (in terms of maintenance and setup, stability,
performance...)
3. After adoption of Keycloak, all systems will make use of it/depends
on it, i am worry about the system update/patching as we cannot have a
period to shutdown all Keycloak instances for upgrade/patching (which will
impact ALL systems...vs currently, individual systems down for maintenance
will smaller impact to hospital operations).
Can you share you experience of system upgrade/patching? Do you have
experience to update Keycloak without downtime?
4. For version upgrade consideration, where can i find known security
issue/vulnerability of each Keycloak version?
5. In keycloak, the recommended way to restrict who (user from active
directory) can login which application? Use seperate realm for each
application?
Thank you.
Show replies by date