29

I'm just starting a new project. The result will be an API server and a progressive web app. The API server is implemented with TypeScript and the NestJS framework, the client with Angular 6.

I've been flirting with keycloak for some time. Still, I'm not quite sure it's right for me yet. But I don't want to worry about things like token renewal anymore and find it sexy that Keycloak tells me how to create user roles.

What bothers me, is the following - integration. For my use case it is necessary that the login and all features like password reset and so on are part of my application. That means I want to create forms myself in order to be able to do this perfectly in my own design and not have a second translation process, etc. Keycloak themes are not an option. So is it possible to hide keycloak in such a way, or is it so complex that I shouldn't use Keyloak in the first place? Afaik there is already an issue with password resets - I can't request it from the user side but have to make an REST call to the admin endpoint - which is okay but not ideal since it requires me to do more server side logic ( and that is not why I want to use Keycloak).

In addition, Keycloak is too much about the GUI - which makes it difficult for me, especially during development. Because I also want to provide my team with a local instance of keycloak during development. But what is the concept to import the initial data into realms, apps and also users into Keycloak? I found some JSON imports - but so far only for realms and apps. Is there also a function to import a whole dumb?

So that my team builds on a pre-built setup and has a user for each role. A reproducible setup with Vagrant or Docker which contains the import of initial data - that would be the goal.

So in short my questions:

  1. Is it still worth the effort using Keycloak if I want to use everything via the API or should I simply use Passport and JWT?
  2. Can I have a reproducible setup during my development that includes realms, apps, users, user roles, etc?
CaKa
  • 3,219
  • 3
  • 14
  • 20
  • For the first, I would say.. No, it isn't. Keycloak is aimed to do it well as long as you use the flows provided by OIDC or SAML protocols. Attacking the API directly you avoid fulfilling this flows. For the second, you've got two options, have a development instance in some of your org servers and use it for development or if you want to have a replica for each developer, use the mysql keycloak docker image and copy the DB containing your dev environment for each of the dev workplaces. – Aritz Apr 02 '18 at 16:51

2 Answers2

28

So, the question was asked a few months ago, but I was also faced with that question, and I wanted to answer it.

I think that you don't need Keycloak, it is good enough for you to use OAuth2 and JWT.

Let me justify my answer:

You have just one client - an Angular application. Keycloak is useful when you have many clients (web-js, mobile platforms) and you want to create and manage them dynamically. But, I think that, in your case, you will create your client once without modification in the future.

Also, Keycloak is very useful when you have a lot of integration with third part systems (Google, Fb, Twitter and etc) because Keycloak has them out-of-box. Or if you need to integrate with some SAML or LDAP provider.

You may also want to use Keycloak, if you need some Identity and User management platform, and when you have complicated user access flow.

In the end, you could consider Keycloak if you need SSO (Single Sign On) feature. Once logged-in to Keycloak, users don't have to login again to access a different application. But, by your description, you have just one application.

catcoder
  • 15
  • 8
BSeitkazin
  • 2,889
  • 25
  • 40
5

Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console. It's an out of box solution for rapid security layer development of application.You could have single common security layer for multiple application . You can implement you security mechanism without using keycloak.

Mrityunjay
  • 154
  • 2
  • 9