An identity and access management solution used to simplify authentication and authorization for applications and services. Developed initially by Red Hat, it serves as a single sign-on (SSO) platform that supports standards like OpenID Connect, OAuth 2.0, and SAML, perfect for securing web applications, RESTful APIs, and microservices across various environments.​

It acts as a centralized authentication server, removing the need for developers to implement custom security logic in every application. It handles user registration, login, password recovery, and session management out of the box, allowing organizations to deploy a secure identity provider that integrates with existing systems. By providing features such as multi-factor authentication (MFA), social login via providers like Google or GitHub, and user federation with LDAP or Active Directory, Keycloak reduces complexity and helps security posture.

It operates through realms, which are isolated spaces for managing users, clients, and roles specific to an application or group of applications. Administrators configure realms through a web-based admin console, where they can define authentication flows, customize themes, and set up granular authorization policies. This makes Keycloak great for both standalone deployments and large-scale, federated environments, where it can broker identities between multiple identity providers.​

The architecture is built on Java and WildFly, supporting containerized deployments with Docker and Kubernetes. It manages cryptographic keys for token signing and encryption, keeping compliance with security protocols at the same time enabling key rotation without downtime.

Licenses

Keycloak is released under the Apache License 2.0, a permissive open-source license that allows free use, modification, and distribution for both commercial and non-commercial purposes. This license requires preservation of copyright notices and disclaimers but imposes no royalties or restrictions on derivative works.

The Apache 2.0 license grants patent rights from contributors, fostering a collaborative community protecting users from litigation risks associated with intellectual property. Red Hat maintains Keycloak as an upstream project for its commercial Red Hat Single Sign-On product, which adds enterprise support, long-term stability, and certified builds but retains the same core codebase under the open license.

No additional licensing fees apply to the community edition, enabling startups, enterprises, and hobbyists to leverage its full feature set. However, for production environments requiring SLAs, certified containers, or advanced monitoring, Red Hat offers subscription-based support through its build of Keycloak, which remains fully compatible with the open-source version.

Getting Started

To begin using Keycloak, download the latest release from the official website or GitHub repository and extract it to a directory on a supported operating system like Linux, Windows, or macOS. Start the server in development mode by running the kc.sh start-dev command (or kc.bat start-dev on Windows), which launches Keycloak on http://localhost:8080 with default credentials: admin/admin. This quick-start mode is perfect for testing and prototyping without complex configuration.​

Access the admin console by navigating to the provided URL, logging in, and creating your first realm via the "Add Realm" button. Within the realm, register clients representing your applications by providing details like client ID, protocol (OIDC or SAML), and redirect URIs. Keycloak generates client secrets or configures public clients for browser-based flows, streamlining integration.

​For production readiness, build and run Keycloak in optimized mode using kc.sh build followed by kc.sh start, specifying options like --http-port=8080 --hostname-strict=false. Configure a database such as PostgreSQL by setting environment variables like KC_DB=postgres and providing connection details, as the default H2 database is not great for scale.

​

Configuring Authentication and Users

The authentication flows are customizable through a drag-and-drop editor in the admin console under Authentication > Flows. Duplicate the built-in "browser" flow to create a custom login sequence, adding steps like username/password validation, OTP via Google Authenticator, or WebAuthn for passwordless login. Set forms as required, alternative, or conditional based on context, such as forcing MFA for sensitive actions.

​User management occurs in the Users section, where administrators import from LDAP, create manually, or enable self-registration. Assign roles composite or realm-level—to users or groups, and map attributes into tokens via mappers for claims like email or custom fields. Sessions are tracked centrally, with options for revocation and timeouts to mitigate risks from compromised credentials.

Securing Applications

To protect a web application, install the Keycloak JavaScript adapter for frontend apps or Spring Boot starter for backend services. Configure the client in Keycloak to use authorization code flow, then point your app's OIDC settings to the realm's endpoints like /realms/{realm}/.well-known/openid-configuration. After that and you login, Keycloak issues ID and access tokens, which applications validate using the realm's public keys fetched from the JWKS endpoint.

For APIs, enable bearer token authentication by marking the client as confidential and using introspection or JWT validation. Keycloak's authorization services allow defining resources, scopes, and policies such as role-based or time-based access enforced via UMA 2.0 or fine-grained permissions.

In containerized setups, deploy Keycloak via Docker with docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:latest start-dev. Scale clusters using Infinispan for session replication and optimize with HTTPS via reverse proxies like Traefik, ensuring secure production deployments.

Integrate social logins by navigating to Identity Providers, selecting a provider like Google, and entering client credentials from the external service. Keycloak handles the federation transparently, normalizing identities into its user model while supporting just-in-time provisioning.

Usage and Best Practices

Leverage user federation to sync with existing directories, configure LDAP under User Federation, mapping attributes and setting sync schedules for periodic imports. This bridges legacy systems without migration disruptions. For high availability, deploy multiple Keycloak instances behind a load balancer, sharing a common database and cache.​

Themes customize the login experience by uploading JARs with HTML, CSS, and Freemarker templates to the themes directory, overriding defaults per realm. Events and auditing log all actions to external systems like OpenSearch for compliance and monitoring, aligning with tools in log management stacks.

Regularly update to the latest version currently in the 20+ series for security patches, as Keycloak maintains a strong CVE response. Backup realms via export functionality and test disaster recovery.

Generally we use Autheulia for our applications here in at mintarc.

But Keycloak is a very good tool to deploy as well: https://www.keycloak.org/