March 12, 2014
Keycloak, oauth, openid connect, security, SSO
Another big feature release for Keycloak. As usual, go to keycloak.org to find documentation and download links. Here are the highlights of Alpha 3:
- Minimal support for OpenID Connect. Claims like email, full name, etc. can now be transmitted and viewed with IDToken passed after login.
- Configurable allowed claims. What identity claims are made in id and access tokens can be configured per application or oauth client within the admin console
- Remote logout and session stats available from management console
- Refresh token support
- Not before revocation policy. You can set it per realm, oauth client, or application. Policies are pushed to applications that have an admin url
- Fine grain admin console permissions and roles. You can now specify which realms a master user is allowed to create, view, or edit. An awesome side effect of this is that if you enable registration in the master admin realm and set a default global role of create only, keycloak can become a SaaS for SSO.
- Installed Application feature to support non-browser applications that want to use Keycloak
- You can now add social network links through account management
Our next release will be Beta-1 and will be our last big feature release. One of the features we want to add is support for using an existing LDAP/Active Directory server. We’re going to take a look at Picketlink IDM API for this. We also need more fine grain support for importing and exporting various pieces of the keycloak database. That’s minimally what we want to get in. We’re looking at a May timeframe for this release as in April many of us will be busy with Red Hat Summit.
March 10, 2014
I’ll be doing a talk on Keycloak April 17th at Devnation in San Francisco. Devnation is running the same time as Red Hat summit and JUDCon. I should be around earlier in the week too. For those that suffer through all my “errs” and “uhms”, I’ll be giving away 2 copies of RESTful Java with JAX-RS 2.0. Hopefully that’s enough of a bribe to come and listen! If anybody wants to talk Resteasy or Keycloak earlier in the week, ping me on the keycloak-dev list.
February 27, 2014
John Ament, a long time lurker on resteasy-dev list has put together a lightweight combination of Undertow + Resteasy + Weld called Hammock. We’ve gotten in some PRs from him to help make this a reality, hope to get more. I’m hoping somebody puts together this combination with Netty too and contributes it.
February 20, 2014
Check out the new Keycloak Blog for details.
January 26, 2014
- Waterproof iPhone. Lost 2 iphones last year to water damage. Got so pissed I switch to the Galaxy 4 to get waterproof phone. Android was a piece of shit, I couldn’t get used to it. After 2 months I went back to the iphone. (The form factor of the Galaxy 4 is kinda cheap too, but that wasn’t why I went back).
- Bigger iPhone display. Only thing I liked about the Galaxy 4.
- Solar paneled iPhone. Never got this iphone accessory, but I thought it was way cool. Seems that Apple might think a solar power iphone would be cool too.
- iCar. I’ve owned some nice cars since the acquisition. Still, I think their functions are weak. I’d like to be able to plug my iphone into the car’s USB port and have it drive all display functions in the car. I’d like to be able to use SIRI from my steering wheel.
What I don’t care about is: iWatch, watches are so 1900’s. iGlasses, WTF is google thinking? iTV, I own a smart TV, still haven’t used any of its features.
January 23, 2014
jboss, Keycloak, opensource, REST, security, SSO, wildfly
Keycloak is an SSO authentication server and appliance for securing web applications and RESTful web services. After 7 months of hard work, the Keycloak team (Bill Burke, Stian Thorgersen, Gabriel Cardoso, Viliam Rockai, Alexandre Mendonca, and Bolesław Dawidowicz) is proud to announce our first release, Alpha-1! There’s still a lot to do, but there’s a lot you of features you can try out. Besides written documentation, we’ve put together a bunch of video screencasts that you can view to learn and experience the features of Keycloak.
These are some of the core feature of Keycloak:
- SSO and Single Log Out for browser applications
- Social Broker. Enable Google, Facebook, Yahoo, Twitter social login with no code required.
- Openshift Quick Start so you can deploy Keycloak on the cloud
- Optional User Registration
- Password and TOTP support (via Google Authenticator). Client cert auth coming soon.
- Forgot password management
- OAuth Bearer token auth for REST Services
- Integrated Browser App to REST Service token propagation
- OAuth Bearer token auth for REST Services
- OAuth 2.0 Grant requests
- CORS Support
- CORS Web Origin management and validation
- Completely centrally managed user and role mapping metadata. Minimal configuration at the application side
- Admin Console for managing users, roles, role mappings, applications, user sessions, allowed CORS web origins, and OAuth clients.
- Deployable as a WAR, appliance, or on Openshift.
- Supports JBoss AS7, EAP 6.x, and Wildfly applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java application
Go to the Keycloak website and follow the links to download, view documentation and videos, browse our source code, and submit bugs.
As I said before, there’s still a lot to do, but here’s some things that will get in sooner rather than later:
- Stan Silvert has written a Wildfly subsystem for Keycloak that didn’t get into the Alpha 1 release. When we get this in, it will be super easy to secure web applications within a Wildfly environment. You won’t have to crack open your WARs to add Keycloak configuration and enabling Keycloak security may be as easy as a doing a few clicks in the admin console.
- Storage protection. We’ll be adding support for more secure password hashing as well as storage encryption capabilities for the Keycloak database. Its uber important to be able to have a 2nd level of defense for hacks.
- Revocation policies. We need to be able to expire all tokens just in case somebody gets hacked and broadcast this information to deployed applications.
- User session management. This will allow you to view which users are logged in and give you the ability to log out one or more users.
- Composite roles. This will be the concept of a role group. This will make it easier to change role mappings for a large set of users.
Finally, I want to give a huge thank you to everybody that helped make this release possible (Stian Thorgersen, Gabriel Cardoso, Viliam Rockai, Alexandre Mendonca, and Bolesław Dawidowicz). Especially Stian for being such a great co-lead and Gabriel for doing such awesome design work. This has been the best team I’ve been on since the good old JBoss Group days years and years ago, pre-aquisition when JBoss was young.
December 19, 2013
Tim might be upset with me sharing the costs, but in my research it was kind of hard to find hard numbers and you should really know what you’re getting into before you waste people’s time. The initial quote did not include electrician work nor yard work.
- $48,500 for the drilling, ductwork, old system removal, and the ClimateMaster units. Remember, our home was 4000 square feet and required two ClimateMaster units. Your home, if smaller, could be less drilling and 1 less unit.
- Roughly $2000 for the electrical work which was not included in the quote
- Roughly $2000 for the yard work to replace bushes and rake and loam the damage property.
- All this is covered by the Federal %30 Tax Credit! (Credit not deduction), so the net install cost was around $37,000.
Performance and Savings
Early, but not complete returns are in. Over the summer, compared to last year, it looked like I used 20-25% less electricity than the months of the previous year comparing 2012 to 2013. My November 15th-December 15th electricity usage (3205 kWh) was about 2.5 times more than the time period last year (1300kWh). Our total electric bill for this period was $320, so you figure about $200 for heating over that decently cold time period.
January and February 2014 were the most brutally cold months we’ve had in years and years. Sub-zero (below 0 degrees Fahrenheit) temperatures for often days at a time and I don’t think we had a day warmer than 20F. The system has 3 modes of heating. Heating 1, which is ultra efficient. Heating 2, which is full capacity, and Heating 3, which is auxiliary heating that uses additional full electricity to generate heat. The auxiliary, 3rd stage heat kicked in a few times when it when it was negative temperatures. Still, with our geo system we were paying about $400-$500 a month. Compared to the previous year (which was much warmer) we were paying > $1000 per month in oil for January and February.
Our total oil heating bill generally averaged about $4000 per year (October-April). So, for a nice SWAG, you figure we’re saving about $3000 per year if you include the summer months savings too. At todays prices, the pay off for the system is about 12 years. BUT…Because my old system was so old and needed replacing anyways, I factor that cost into the equation as well, so the payoff is probably even shorter.