Page MenuHomeDevCentral
Create Task
Maniphest T1771

Evaluate Keycloak as identity and access management solution
Open, NormalPublic
Actions

Description

Keycloak offers an open source identity and access management solution. It's the upstream for RedHat IdM.

It seems fairly comprehensive as:

  • able to connect to a LDAP
  • expose a LDAP to help applications to authenticate users
  • offer SAML, a more modern way to do so
  • expose OIDC (OpenID connect)

The scope of evaluation would be:

  • do we need our own LDAP? (probably so not to be vendor-locked)
  • how to install and secure Keycloak?
  • how to connect applications and services to Keycloak?
  • can Keycloak be a source of truth for SSH keys? Is that desirable?
  • what UI do we expose to end users? Keycloak directly? an UI linked to Keycloak API? An UI linked to a LDAP or database, independent of Keycloak (not to be vendor-locked)?
  • how to manage multiple accounts?

Keycloak official site: https://www.keycloak.org/

Related Objects

Mentioned In
T1791: Refresh Sentry installation
T338: Authenticate users against GitHub
T271: Deploy Auth Grove to login.nasqueron.org
T475: [Login capability] Discourse
T344: Convert forum.nasqueron.org accounts into Nasqueron accounts
T343: Provide a migration path from Espace Win accounts to Nasqueron accounts
T349: Add Wikimedia OAuth2 registration capability
T885: Offer a recover password feature for mailboxes
T270: Implement SSO on forum.nasqueron.org
T1472: Provide a 301 redirect for /.well-known/change-password
T468: Add account reset feature
T345: Add registration capabilities
T476: Implement subaccounts
T828: Implement local storage features
T336: Add login capabilities through external services
T480: CLI commands to manage accounts
T339: Authenticate users against Facebook
T341: Authenticate users against BitBucket
T342: Authenticate users against Google
T348: Allow user accounts provisioning
T340: Authenticate users against Twitter
T1501: Follow Chromium guidelines for password form fields
T1399: Migrate from globalfunctions to OmniTools
T477: E-mail processing for subaccounts
T471: Password reset token is only verified after a form with password is submitted
T1172: Generate HTML responsive transactional mails
T472: [Route] Print an error message on /auth/reset instead of return a 404.
T668: E-mail authentification
T366: Implement mailcheck to check current mail error at register time
T1471: Set background-size cover CSS attribute to background images
T347: Allow to register an account through a social login
T337: Authenticate users through OpenID
T478: Validate e-mail addresses
T1439: [Tests] Ensure tests have a database ource
T1440: [Tests] Review installation procedure
T879: l10n: plural support
T905: UndoStack
T481: [CLI] Create new account
T877: Validation rules hardcode 8 characters requirement for passwords
T1438: Fix tests to allow coverage reports for Laravel applications

Event Timeline

dereckson triaged this task as Normal priority.Feb 16 2023, 19:20
dereckson created this task.
dereckson updated the task description. (Show Details)Feb 16 2023, 19:26
dereckson mentioned this in Unknown Object (Maniphest Task).Feb 16 2023, 19:30
dereckson mentioned this in T1438: Fix tests to allow coverage reports for Laravel applications.
dereckson mentioned this in T879: l10n: plural support.
dereckson mentioned this in T877: Validation rules hardcode 8 characters requirement for passwords.
dereckson mentioned this in T1440: [Tests] Review installation procedure.
dereckson mentioned this in T905: UndoStack.
dereckson mentioned this in T337: Authenticate users through OpenID.
dereckson mentioned this in T1439: [Tests] Ensure tests have a database ource.
dereckson mentioned this in T481: [CLI] Create new account.
dereckson mentioned this in T478: Validate e-mail addresses.
dereckson mentioned this in T347: Allow to register an account through a social login.
dereckson mentioned this in T1471: Set background-size cover CSS attribute to background images.
dereckson mentioned this in T1399: Migrate from globalfunctions to OmniTools.
dereckson mentioned this in T1172: Generate HTML responsive transactional mails.
dereckson mentioned this in T477: E-mail processing for subaccounts.
dereckson mentioned this in T472: [Route] Print an error message on /auth/reset instead of return a 404..
dereckson mentioned this in T471: Password reset token is only verified after a form with password is submitted.
dereckson mentioned this in T1501: Follow Chromium guidelines for password form fields.
dereckson mentioned this in T668: E-mail authentification.
dereckson mentioned this in T366: Implement mailcheck to check current mail error at register time.
dereckson mentioned this in T348: Allow user accounts provisioning.
dereckson mentioned this in T342: Authenticate users against Google.
dereckson mentioned this in T341: Authenticate users against BitBucket.
dereckson mentioned this in T340: Authenticate users against Twitter.
dereckson mentioned this in T339: Authenticate users against Facebook.
dereckson mentioned this in T336: Add login capabilities through external services.
dereckson mentioned this in T828: Implement local storage features.
dereckson mentioned this in T480: CLI commands to manage accounts.
dereckson mentioned this in T476: Implement subaccounts.
dereckson mentioned this in T468: Add account reset feature.
dereckson mentioned this in T345: Add registration capabilities.
dereckson mentioned this in T885: Offer a recover password feature for mailboxes.
dereckson mentioned this in T475: [Login capability] Discourse.
dereckson mentioned this in T349: Add Wikimedia OAuth2 registration capability.
dereckson mentioned this in T344: Convert forum.nasqueron.org accounts into Nasqueron accounts.
dereckson mentioned this in T343: Provide a migration path from Espace Win accounts to Nasqueron accounts.
dereckson mentioned this in T270: Implement SSO on forum.nasqueron.org.
dereckson mentioned this in T1472: Provide a 301 redirect for /.well-known/change-password.
dereckson mentioned this in T271: Deploy Auth Grove to login.nasqueron.org.Feb 16 2023, 19:31
dereckson mentioned this in T338: Authenticate users against GitHub.
dereckson mentioned this in T1791: Refresh Sentry installation.Mar 7 2023, 17:47
MoustaphaAs added a subscriber: MoustaphaAs.Wed, Oct 30, 13:35

Part of the answer :
https://pad.nasqueron.org/p/KeyCloak#L4

dereckson assigned this task to MoustaphaAs.Wed, Nov 6, 21:37
dereckson moved this task from Backlog to Current focus on the Product evaluation board.

Assigning per previous comment: @MoustaphaAs is currently working on this.

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator