Keycloak - Mind Palace

**Keycloak** is an open source Identity and Access Management (IAM) platform that provides Single Sign-On (SSO), social login, identity brokering, and user management for applications and services. It is the tenant-facing login system in an open source hyperscaler — the equivalent of AWS Cognito or Google Identity Platform. --- ### First Principle: Every service shouldn't build its own authentication. Delegate auth to a centralised identity provider. Implementing authentication correctly — password hashing, session management, MFA, token refresh, federation — is complex and security-critical. Keycloak centralises all of this, exposing OIDC and SAML 2.0 endpoints that applications and services use. Applications stop caring about passwords; they just verify tokens from Keycloak. --- ### Key Considerations - **Protocols**: Implements OpenID Connect (OIDC), OAuth 2.0, and SAML 2.0. Issues JWTs that services validate without round-tripping to Keycloak. - **Realms**: Keycloak organises users and configurations into Realms — isolated identity domains. A hyperscaler would have one realm per major tenant group. - **Identity Brokering**: Keycloak can federate with external identity providers — corporate LDAP/Active Directory, GitHub, Google, other OIDC providers. - **[[OpenStack]] Integration**: [[OpenStack]] Keystone can be configured to use Keycloak as its external identity provider via OIDC federation — giving tenants one login for both the IaaS console and applications. - **[[Kubernetes]] Integration**: Kubernetes API server can be configured to accept JWTs issued by Keycloak for RBAC. - **MFA**: Supports TOTP (Google Authenticator), FIDO2/WebAuthn hardware keys, and email/SMS OTP out of the box. --- ### How It Fits ``` Tenant user (browser / CLI) → Keycloak (SSO, OIDC, MFA) → [[OpenStack]] Keystone / [[Kubernetes]] API server → [[Open Policy Agent (OPA)]] (fine-grained authorisation) → [[OpenBao]] (secrets access controlled by token claims) ``` [[OpenBao]] | [[Open Policy Agent (OPA)]] | [[OpenStack]] | [[Kubernetes]] | [[Open Source Hyperscaler MoC]]