August 11, 2015
Keycloak, oauth, security, Webservices
Back in 2012, I wrote about my concerns with the proliferation of WebSockets. Since WebSockets is basically just a mechanism to establish a raw socket connection and a simple protocol to send packets, potentially every application has a different communication protocol.
We recently ran into the problem of, how can we secure WebSockets in a token based architecture. While we can write helper libs on the client and server side that exchange the token on WebSocket setup, there’s a problem with token expiration. Each application (or WebSocket framework) would have to build in a way to notify the client that the token has expired, and provide a way for the client to retransmit a new refreshed token. It is already a maintenance nightmare to support basic web security and client adapter support for the various servlet engines. We would now have to multiple that by the number of WebSocket frameworks.
Basically, it is hard to impossible for projects like Keycloak to provide out of the box support for securing WebSockets. Anybody know if HTTP/2 could replace WebSockets? I haven’t dived into the protocol yet and my understanding is that its biggest advantage is pipelining HTTP requests.
December 6, 2014
A lot of new features this release.
- Tomcat 6, 7, and 8 adapters
- Jetty 8.1, 9.1, and 9.2 adapters
- HTTP Security Proxy for platforms that don’t have an adapter based on Undertow.
- Wildfly subsystem for auth server. Allows you to run keycloak in domain mode to make it easier to run in a cluster.
Hope to do 1.1.0.Final sometime end of January. See http://keycloak.org for more details.
November 5, 2014
java, javaee, JAX-RS, jboss, Keycloak, oauth, openid connect, SAML, SSO
(Copied from Stian’s announcement) Pretty big feature release:
- SAML 2.0 support. Keycloak already supports OpenID Connect, but with this release we’re also introducing support for SAML 2.0. We did this by pulling in and building on top of Picketlink’s SAML libraries.
- Vastly improved clustering support. We’ve also significantly improved our clustering support, for the server and application adapters. The server can now be configured to use an invalidation cache for realm meta-data and user profiles, while user-sessions can be stored in a distributed cache allowing for both increased scalability and availability. Application adapters can be configured for either sticky-session or stateless if sticky-sessions are not available. We’ve also added support for nodes to dynamically register with Keycloak to receive for example logout notifications.
- Adapter multi-tenancy support. Thanks to Juraci Paixão Kröhling we now have multi-tenancy support in application adapters. His contribution makes it easy to use more than one realm for a single application. It’s up to you to decide which realm is used for a request, but this could for example be depending on domain name or context-path. For anyone interested in this feature there’s a simple example that shows how to get started.
- Tomcat 7 Adapter. A while back Davide Ungari contributed a Tomcat 7 application adapter for Keycloak, but we haven’t had time to document, test and make it a supported adapter until now.
The next release of Keycloak should see the introduction of more application adapters, with support for JBoss BRMS, JBoss Fuse, UberFire, Hawt.io and Jetty.
For a complete list of all features and fixes for this release check out JIRA
I’d like to especially thank all external contributors, please keep contributing! For everyone wanting to contribute Keycloak don’t hesitate, it’s easy to get started and we’re here to help if you need any pointers.
September 17, 2014
java, javaee, JAX-RS, REST, RESTEasy
I really want to thank Ron Sigal, Weinan Li, and the rest of the Resteasy community for having my back the last 5 months while I was focused on other things. Thanks for your hard work and patience. 3.0.9.Final is a maintenance release. There are a few minor migration notes you should read before you upgrade, but most applications shouldn’t be affected. We’ll try and do another maintenance release in like 6-8 weeks. Check out resteasy.jboss.org for download links, jira release notes, and documentation.
September 10, 2014
java, javaee, JAX-RS, jboss, Keycloak, oauth, openid connect, opensource, REST, security, SSO
After 1 year of hard work, the team is proud to release our first final 1.0 release of Keycloak. We’ve stabilized our database schemas, improved performance, and refactored our SPIs and you should be good to go! I don’t want to list all the features, but check out our project website at http://keycloak.org for more information. You can find our download links there as well as screen cast tutorials on our documentation page.
Keycloak 1.1 will be our integration release where we start bringing Keycloak to different protocols, projects, and environments. Here’s a priority list of what we’re tackling
- SAML 2.0 – by merging with Picketlink IDP
- Uberfire/BRMS adapter
- Fuse FSW adapter
- EAP 6.x and Wildfly console integration
- Tomcat 7 adapter
- …More planned, but we’ll see how fast we can move before we announce anymore
In parallel, we hope to look into a few new features:
- TOTP Improvements like allowing multiple token generators
- IP Filtering