I’d like to officially announce the new project I’m co-leading with Stian Thorgersen: Keycloak! Some of you may already have heard hints about this on the Resteasy dev list, but since July I’ve been working with some great Red Hat guys (Stian, Gabriel, Villiam, Bolek, Alexandre, and Marek) to put together an SSO solution for browser, social, and REST service applications. There is no release yet! But we’re getting close to releasing our first Alpha.
Check out our screencast presentation and demo of what we got and what we’re doing:
Here’s a list of features we have or are planning to add over the coming months.
- SSO and Single Log Out for browser applications
- Social Broker. Enable Google, Facebook, Yahoo, Twitter social login with no code required.
- Optional User Registration
- Password and TOTP support (via Google Authenticator). Client cert auth coming soon.
- OAuth Bearer token auth for REST Services
- Integrated Browser App to REST Service token propagation
- OAuth 2.0 Grant requests
- CORS Support
- CORS Web Origin management and validation
- Completely centrally managed user and role mapping metadata. Minimal configuration at the application side
- Admin Console for managing users, roles, role mappings, applications, user sessions, allowed CORS web origins, and OAuth clients.
- Deployable as a WAR, appliance, or an Openshift cloud service (SaaS).
- Supports JBoss AS7, EAP 6.x, and Wildfly applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java applications.
We would love to see anybody interested drop by on the keycloak-dev email list. We looking to do our first alpha release sometime before Christmas. The code was taken from the RESTEasy OAuth work I did earlier this year as well as the social broker service Stian Thorgersen and the portal team were prototyping early this year. We’re also trying to leverage Picketlink where appropriate.
Bill the Plumber 
Dec 30, 2013 @ 03:38:34
Hi Bill,
This is a really good idea. Spent the entire weekend looking at solutions for Java Social Login and there are some decent ones out there (i.e. socialauth) but it is essentially libraries and does not provide OpenID Connect which to my understanding is OAuth2 + OpenID.
My question is, whats the reason for starting a new project instead of doing this via the picketlink project? You have stated that you plan to leverage Picketlink where appropriate but cannot this be done within the picketlink project as my understanding is that currently picketlink has good SAML functionality but not OAuth2/OpenID/OpenID Connect?
This is not a criticism but just trying to get a better understanding.
But +1 from me for this project and hopefully it will work well with JBossAS/WildFly.
I just downloaded the Alpha codebase/demos and will give it a try. At least the build worked without any issues after the initial download of the entire internet by Maven 🙂
Cheers
Travis
Dec 30, 2013 @ 22:08:05
Hi Bill,
Disregard my previous question. I went over the developer mailing list and now understand that KeyCloak is more than just another OAuth2 provider. This is the description that you provided in the mailing list.
“Keycloak is a central login service for one or more web applications and
web services. It also is a central place to manage what a logged in
user is allowed to do and what permissions the user has. It is a cloud
service that allows administrators to secure their web applications.”
Now it makes sense why it is a new project. All the best with the project.
Cheers
Travis
Jan 02, 2014 @ 15:19:04
Check out the screencasts I did at keycloak.org. i think you’ll understand even more why this is a separate project from picketlink.
Jan 02, 2014 @ 20:00:28
Thanks Bill. Yes I checked it out and also cloned and the Alpha1 version and ran the example projects. I had a few issues with the Wildfly example and I will post my feedback to the keycloak user mailing list.