Page MenuHomeDevCentral

Evaluate Keycloak as identity and access management solution
Open, NormalPublic

Description

Keycloak offers an open source identity and access management solution. It's the upstream for RedHat IdM.

It seems fairly comprehensive as:

  • able to connect to a LDAP
  • expose a LDAP to help applications to authenticate users
  • offer SAML, a more modern way to do so
  • expose OIDC (OpenID connect)

The scope of evaluation would be:

  • do we need our own LDAP? (probably so not to be vendor-locked)
  • how to install and secure Keycloak?
  • how to connect applications and services to Keycloak?
  • can Keycloak be a source of truth for SSH keys? Is that desirable?
  • what UI do we expose to end users? Keycloak directly? an UI linked to Keycloak API? An UI linked to a LDAP or database, independent of Keycloak (not to be vendor-locked)?
  • how to manage multiple accounts?

Keycloak official site: https://www.keycloak.org/

Related Objects

Mentioned In
T1791: Refresh Sentry installation
T338: Authenticate users against GitHub
T271: Deploy Auth Grove to login.nasqueron.org
T475: [Login capability] Discourse
T344: Convert forum.nasqueron.org accounts into Nasqueron accounts
T343: Provide a migration path from Espace Win accounts to Nasqueron accounts
T349: Add Wikimedia OAuth2 registration capability
T885: Offer a recover password feature for mailboxes
T270: Implement SSO on forum.nasqueron.org
T1472: Provide a 301 redirect for /.well-known/change-password
T468: Add account reset feature
T345: Add registration capabilities
T476: Implement subaccounts
T828: Implement local storage features
T336: Add login capabilities through external services
T480: CLI commands to manage accounts
T339: Authenticate users against Facebook
T341: Authenticate users against BitBucket
T342: Authenticate users against Google
T348: Allow user accounts provisioning
T340: Authenticate users against Twitter
T1501: Follow Chromium guidelines for password form fields
T1399: Migrate from globalfunctions to OmniTools
T477: E-mail processing for subaccounts
T471: Password reset token is only verified after a form with password is submitted
T1172: Generate HTML responsive transactional mails
T472: [Route] Print an error message on /auth/reset instead of return a 404.
T668: E-mail authentification
T366: Implement mailcheck to check current mail error at register time
T1471: Set background-size cover CSS attribute to background images
T347: Allow to register an account through a social login
T337: Authenticate users through OpenID
T478: Validate e-mail addresses
T1439: [Tests] Ensure tests have a database ource
T1440: [Tests] Review installation procedure
T879: l10n: plural support
T905: UndoStack
T481: [CLI] Create new account
T877: Validation rules hardcode 8 characters requirement for passwords
T1438: Fix tests to allow coverage reports for Laravel applications

Event Timeline

dereckson triaged this task as Normal priority.Feb 16 2023, 19:20
dereckson created this task.
dereckson mentioned this in Unknown Object (Maniphest Task).Feb 16 2023, 19:30
dereckson mentioned this in T905: UndoStack.