Skip to main content

Keycloak

Keycloak is an open-source identity and access management (IAM) server that provides authentication, authorization, and user management for modern applications and services.

  • Centralized authentication and Single Sign-On (SSO) for applications and services (identity and access)
  • Support for OpenID Connect (OIDC) and Open Authorization 2.0 (OAuth 2.0) protocols for identity and delegated authorization (security protocols)
  • Role-Based Access Control (RBAC) and fine-grained authorization services (access management)
  • User federation with external identity stores such as LDAP or Active Directory (directory integration)
  • Extensible realm, client, and user management with admin console and APIs (IAM administration)

More About Keycloak

Keycloak is an open-source identity and access management (IAM) platform designed to provide centralized authentication, authorization, and user management for web, mobile, and service-oriented applications. It addresses requirements around SSO, secure access to APIs, and integration with enterprise directories and external identity providers. Organizations use Keycloak to externalize security logic from individual applications and enforce consistent access control policies across distributed systems.

Keycloak implements OIDC (identity and access) and OAuth 2.0 (authorization) as its primary protocols, enabling standards-based authentication flows and delegated access to APIs. It issues security tokens, such as JSON Web Tokens (JWTs), that applications and services can validate to establish user identity and permissions. Through support for various grant types and flows, it can secure browser-based applications, single-page applications, native mobile apps, and Machine-to-Machine Communication (M2M).

Within Keycloak, the core organizational construct is the realm (IAM tenancy), which defines a security boundary for users, clients, roles, and identity settings. Realms contain clients (application integration) that represent applications or services, each configured with redirect URIs, protocol settings, and credential handling. RBAC (authorization management) is provided through realm roles and client roles, which can be assigned to users and groups. Keycloak also offers an authorization services module (policy-based access control) for fine-grained permissions on protected resources using policies and permission definitions.

For user management (user directory and lifecycle), Keycloak maintains user accounts with attributes, credentials, and group memberships, while also supporting user federation (directory integration) with existing LDAP or Active Directory servers. It can broker identity (identity federation) from external identity providers, enabling login via OIDC or SAML-based providers where configured. Administrators manage configuration through a web-based admin console and Representational State Transfer (REST) APIs (administration and automation), covering realms, clients, roles, users, groups, and identity providers.

In enterprise environments, Keycloak commonly runs as a containerized service (platform integration) or within Java application server stacks, fronting internal and external applications. It integrates with reverse proxies and Application Programming Interface (API) gateways (application security) to provide centralized login, session management, and token issuance. The project provides adapters and libraries for various frameworks and languages, though applications can also integrate directly via OIDC and OAuth 2.0 standards. This positions Keycloak in the directory as an identity and access management server (security infrastructure) focused on SSO, token-based security, and policy-driven authorization for distributed application architectures.