Tuesday, 16 December 2014

Merry Christmas from the Keycloak team

2014 was the year of Keycloak! At least that was the case for us on the Keycloak team. In January we released the very first alpha of the project. The first stable release wasn't out until September, but in return we added a lot more features as well as reaching a very high level of stability for a 1.0.

Since then we've delivered a number of security and bug fixes for 1.0, while continuing to bake in new exiting features for 1.1. We're planning to do a stable release of 1.1 early in the New Year, which will bring SAML 2, much improved clustering and a number of new application adapters.

Not only have we managed to provide a feature rich and easy to use open source security solution, but we've also managed to build an awesome community around the project. We've had over 5000 downloads, over 2500 commits from 32 contributors and our developer and user mailing lists are very active. Keycloak is already in use in production on a number of projects, in fact some has even used it in production since our first alpha release!

Our road-map for 2015 is not written in stone, but expect at least some of the following features to be delivered in 2015:
  • Custom user profiles - this will let you configure the attributes for a user profile, which should be visible on the registration screen and account management, as well as specify validation

  • Identity Brokering - we're adding support to authenticate with external Identity Providers via OpenID Connect, SAML 2.0 and Kerberos

  • Two-Factor Authentication - currently we only support Google Authenticator or FreeOTP applications for two-factor authentication, but we plan to make it possible to add your own and provide some more out of the box

  • Client Accounts - these will be special user accounts directly linked to a client, allowing a client to access services as itself not just on-behalf of users

  • Client Certificates - support authentication of clients with certificates

  • Client Types - at the moment we have applications and oauth clients, the main difference being oauth clients require users to grant permissions to roles. To simplify the admin console we plan to introduce a single unified view for clients and also introduce new types such as devices

  • Internationalization - internationalization support for login and account management pages

  • SMS - enable SMS to recover passwords, as a 2nd factor authentication mechanism and to be notified about events like login failures

  • OpenID Connect Dynamic Registration -  allows clients to dynamically register with Keycloak. We'll also look at passing the OpenID Connect Interop testing

  • Mapping of users and tokens - custom mapping of user profiles from external identity stores and tokens from external Identity Providers
We also have ideas for some bigger features, but we'll leave those as a surprise for 2015!

Finally, I'd like to wish everyone a Merry Christmas and a Happy New Year.

Wednesday, 5 November 2014

Keycloak 1.1.0 Beta1 Released

Pretty big feature release:
  • SAML 2.0 support.  Keycloak already supports OpenID Connect, but with this release we're also introducing support for SAML 2.0.  We did this by pulling in and building on top of Picketlink's SAML libraries.

  • Vastly improved clustering support.  We've also significantly improved our clustering support, for the server and application adapters. The server can now be configured to use an invalidation cache for realm meta-data and user profiles, while user-sessions can be stored in a distributed cache allowing for both increased scalability and availability. Application adapters can be configured for either sticky-session or stateless if sticky-sessions are not available. We've also added support for nodes to dynamically register with Keycloak to receive for example logout notifications.

  • Adapter multi-tenancy support.  Thanks to Juraci Paixão Kröhling we now have multi-tenancy support in application adapters. His contribution makes it easy to use more than one realm for a single application. It's up to you to decide which realm is used for a request, but this could for example be depending on domain name or context-path. For anyone interested in this feature there's a simple example that shows how to get started.

  • Tomcat 7 Adapter.  A while back Davide Ungari contributed a Tomcat 7 application adapter for Keycloak, but we haven't had time to document, test and make it a supported adapter until now.

What's next?

The next release of Keycloak should see the introduction of more application adapters, with support for JBoss BRMS, JBoss Fuse, UberFire, Hawt.io and Jetty.

For a complete list of all features and fixes for this release check out JIRA.

I'd like to especially thank all external contributors, please keep contributing! For everyone wanting to contribute Keycloak don't hesitate, it's easy to get started and we're here to help if you need any pointers.

Tuesday, 28 October 2014

Keycloak 1.0.3.Final released

Another security and bug fix release in the 1.0 series.

For full details look in JIRA.

Wednesday, 8 October 2014

Keycloak 1.0.2.Final released

This is a maintenance release and contains only bug fixes and one minor security fix.

For full details look in JIRA

Thursday, 18 September 2014

Keycloak 1.0.1 Final Released

We're releasing a few minor fixes and improvements before we start work on SAML and Clustering.

As usual go to keycloak.org to download the release, and have a look at jira for the complete list of fixes and improvements.

Wednesday, 10 September 2014

Keycloak 1.0 Final Released

After 1 year of hard work, the team is proud to release our first final 1.0 release of Keycloak.  We've stabilized our database schemas, improved performance, and refactored our SPIs and you should be good to go!  I don't want to list all the features, but check out our project website at http://keycloak.org for more information.  You can find our download links there as well as screen cast tutorials on our documentation page.

What's Next?

Keycloak 1.1 will be our integration release where we start bringing Keycloak to different protocols, projects, and environments.  Here's a priority list of what we're tackling

  • SAML 2.0 - by merging with Picketlink IDP
  • Uberfire/BRMS adapter
  • Fuse FSW adapter
  • EAP 6.x and Wildfly console integration
  • Tomcat 7 adapter
  • ...More planned, but we'll see how fast we can move before we announce anymore

In parallel, we hope to look into a few new features:

  • Internationalization
  • TOTP Improvements like allowing multiple token generators
  • IP Filtering

Monday, 1 September 2014

Keycloak 1.0 RC 2 Released

This will be the last release candidate before we release 1.0 final in just two weeks! So, there's no new exiting features in this release, only a few bug fixes.

Go grab it from keycloak.org now!

Wednesday, 20 August 2014

Keycloak 1.0 RC 1 Released

Many bugs fixes and cleanup.  Not much for features although we did add a ton of tooltips to the admin console.  We’re getting very close to a final release and are still on schedule to release 2nd week on September.

See keycloak.org for links to download and documentation.

Tuesday, 5 August 2014

Keycloak Beta 4 Released

After a summer of multiple vacations from various team members, we're finally ready to release Keycloak 1.0 Beta 4.  There's not a lot of new features in the release because we focused mainly on performance, creating new SPIs, refactoring code, improving usability, and lastly fixing bugs. 64 issues completed.  As usually go to the main keycloak.org page to find download links and to browse our documentation, release notes, or view our screencast tutorials.  Here are some of the highlights of the release:

  • Server side memory cache for all UI pages.
  • Cache-control settings for UI pages
  • Server side cache for all backend metadata: realms, applications, and users.
  • In-memory implementation for user sessions
  • New Federation SPI.  Gives you a lot of flexibility to federation external stores into Keycloak
  • Improved LDAP/Active Directory support
  • Token validation REST API
  • Support for HttpServletRequest.logout()
  • Lots and lots of bugs fixes and minor improvements

You should see a big performance increase with this release as everything is cachable in memory and the database can be fully bypassed.

1.0 Final is on the way!

What's next for Keycloak?  This month we will be focusing on resolving the remaining issues logged in Jira, improving our test coverage, and updating our documentation and screencasts.  No new major features.  We'll have a RC release around 3rd week of August, then our first Final release 2nd week of September!

Thursday, 19 June 2014

Keycloak Beta 3 Released

Mostly a bunch of bug fixes that we needed to push out for users.  We're still pretty focused on performance and hope that Beta 4 will allow Keycloak to run in a cluster with some caching capabilities.  See keycloak.org for links on downloading, docs, and jira release notes.

Thursday, 29 May 2014

Keycloak Beta 1 Released!

Keycloak Beta-1 has been released!  We're edging closer to 1.0! Please visit the Keycloak website for links to documentation and downloads.  A lot of hard work the last few months by Stian, Marek, myself and other contributors to bring you loads of new features and improvements:

  • LDAP/Active Directory integration built on Picketlink.  Thanks Marek!
  • User Session management - can now view login IP address and which applications and oauth clients have open tokens.  Works with any type of app too.  Can view and manage sessions through user account pages or admin console
  • Audit log for important events.  Integration with admin console and ability to receive emails on certain events.
  • Account log viewable in user account management pages
  • Export database.  Allows you to export a full dump of keycloak database into an encrypted file.  Will help out tremendously to migrate between Keycloak versions.
  • Authentication SPI.  Allows you to plug in different mechanisms to retrieve and authenticate users.
  • Theme support for the admin console and any sent email.
  • Per-realm admin console.  You can now designate a user within a realm that is an admin of that realm.
  • Documented the Admin REST API finally.  (Docs still kinda suck here)
  • CORS support for Admin REST API
  • Improvements in Javascript adapter.  Including OpenID Connect session iframe style for single-sign out and support for Cordova.
  • Support for relative URLs when configuring admin console
  • Server configuration file
  • Social Only Logins
  • Installed application adapter
  • Expanded the number of example projects

What's next? This is the last major feature release of Keycloak.  We will now be focusing on performance, clustering, security audits, testing, documentation, and usability for the next few releases.  We hope to release 1.0 Final sometime in July.

Wednesday, 12 March 2014

Keycloak Alpha 3 Released

Another big feature release for Keycloak.  As usual, go to keycloak.org to find documentation and download links.  Here are the highlights of Alpha 3:
  • Minimal support for OpenID Connect.  Claims like email, full name, etc. can now be transmitted and viewed with IDToken passed after login.

  • Configurable allowed claims.  What identity claims are made in id and access tokens can be configured per application or oauth client within the admin console

  • Remote logout and session stats available from management console

  • Refresh token support

  • Not before revocation policy.  You can set it per realm, oauth client, or application.  Policies are pushed to applications that have an admin url

  • Fine grain admin console permissions and roles.  You can now specify which realms a master user is allowed to create, view, or edit.  An awesome side effect of this is that if you enable registration in the master admin realm and set a default global role of create only, keycloak can become a SaaS for SSO.

  • Installed Application feature to support non-browser applications that want to use Keycloak

  • You can now add social network links through account management

What's next?

Our next release will be Beta-1 and will be our last big feature release.  One of the features we want to add is support for using an existing LDAP/Active Directory server.  We're going to take a look at Picketlink IDM API for this.  We also need more fine grain support for importing and exporting various pieces of the keycloak database.  That's minimally what we want to get in.  We're looking at a May timeframe for this release as in April many of us will be busy with Red Hat Summit.

Wednesday, 19 February 2014

Keycloak Alpha 2 Released

3 weeks after Keycloak's initial debut, we're ready to introduce some new features in our Alpha 2 release.
  • Stian added theme support.  You can now customize any non-admin-console page using Freemarker templates, css files, and images.

  • Stan added a Wildfly subsystem and Bill ported it to AS7 and EAP 6.x.  Securing your WARs on JBoss AS7, EAP, and Wildfly is now much easier and uniform across all JBoss/Wildfly versions.  Also, with the subsystem, you do not even have to crack open a WAR to secure it with Keycloak.

  • Bill added Composite Role support.  Composite Roles can be associated with more fine grain roles to make it easier to apply and manage role mappings for your users.

  • Marek added backend support for Mongo, Oracle, Postgres, MySQL, MS-SQL, and DB2.

  • Stian finished up his pure Javascript adapter that had been sitting on the back burner.

  • Somebody not named Bill wrote a GitHub Social Login provider.

  • Viliam was the cleaner.  He cleaned up all the messes that Stian and Bill created and fixed all the little bugs Bill was too lazy to do.

What's next?  No sure yet.  Probably a focus on full OpenID Connect support. Refresh tokens.  Openshift bootstrapping.  Maybe some new social plugins too.  Please visit the main Keycloak Website for documentation and links for downloads.