Console #162 - Interview with Michal of Keycloak - Open Source Identity and Access Management
Console #162 - Interview with Michal of Keycloak - Open Source Identity and Access Management
Featuring Sandstorm, OURS Project, and ASCIIFlow
🤝 Sponsor
This space is reserved for sponsors that support us to keep the newsletter going! Want to support Console? Send us a note at osh@codesee.io
🏗️ Projects
Browse through open source projects on OpenSourceHub.io, add your project to get more exposure and connect with other maintainers and contributors!
🌐 Sandstorm
Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager. Sandstorm makes it easy to run your own server.
language: JavaScript stars: 6427 last commit: March 2022
repo: github.com/sandstorm-io/sandstorm
site: sandstorm.io
📱 OURS Project
A DIY Open-Source, Upgradable, Repairable Linux Smartphone that is also completely free of Big Tech.
language: Python stars: 356 last commit: 2 days
repo: github.com/evanman83/OURS-project/
🧩 ASCIIFlow
ASCIIFlow is a client-side only web based application for drawing ASCII diagrams
language: TypeScript stars: 3787 last commit: Jan 2022
repo: github.com/lewish/asciiflow
site: asciiflow.com
🔑 Keycloak
Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.
language: Java stars: 16454 last commit: 2 days
repo: github.com/keycloak/keycloak
site: keycloak.org
Join thousands of other open-source enthusiasts and developers in the Open Source Hub Discord server to continue the discussion on the projects in this week's email!
🎙️ Interview With Michal of Keycloak - Open Source Identity and Access Management For Modern Applications
Hey Michal! Thanks for joining us! Let us start with your background.
I grew up in Slovakia, and my passion for computers started at a young age. Around the age of 15, I discovered programming and began experimenting with PHP, HTML, and CSS. While I learned some basics in high school, most of my knowledge and skills were acquired during my college studies and my work experience at Red Hat.
To pursue my studies, I moved to the Czech Republic and enrolled at Masaryk University. There, I focused on cybersecurity and became part of a team specializing in randomness testing.
During my third year of studies, I was fortunate to land an internship at Red Hat, where my main focus was automated testing. After three months, I transitioned from an intern to a part-time employee and eventually became a full-time employee.
In addition to using Java in my daily work, I have a particular fondness for Haskell. Unfortunately, I don't get as many chances as I'd like to use Haskell. To make sure I stay connected with it, I enjoy joining competitions like the Advent of Code, where I can keep my Haskell skills sharp.
What is your favorite software tool?
Having started using Jetbrains products during my studies, I have remained a fan of their tools ever since. While I have a desire to transition to an open-source alternative, I have struggled to find a tool that matches the same level of functionality and usability that I have grown accustomed to. I have experimented with VS Code, but unfortunately, I have been unable to achieve the same level of productivity and comfort as I do with IntelliJ.
What are you currently learning?
During my initial years with the Keycloak team, I began as a Quality Engineer. My role involved writing automated tests to ensure the project met all functional requirements before its public release.
Later, I transitioned to an Engineering position, diving deeper into the inner workings of Keycloak. I focused on bug fixing and developing new features, primarily concentrating on the storage aspect and SAML (Security Assertion Markup Language). However, I also contributed to various changes outside of these areas.
Currently, while still primarily working on storage, I have a strong desire to enhance my understanding of how users actually utilize our product. I want to grasp the most common settings and environments employed. To achieve this, I aim to increase my visibility within the community by actively participating in discussions and reviewing pull requests.
Also, as part of my goal to enhance my skills in cloud computing and Kubernetes, I am actively involved in a project that aims to improve support for cross-data center scenarios. In this endeavor, we are currently setting up a cloud-based environment specifically designed for conducting performance tests. The insights derived from these tests will be instrumental in establishing comprehensive guidelines for configuring Keycloak effectively in such scenarios. To stay updated on the progress of this initiative, I encourage you to follow our Keycloak Benchmark tool.
What inspired the development of Keycloak, and how did it evolve into the product it is today?
As I wasn't involved with the Keycloak team during its establishment, I cannot provide insights into the initial motivations behind its development. However, it is worth noting that the Keycloak project greatly benefits from extensive community involvement at present. We receive numerous contributions in the form of code pull requests, issue reports, and active discussions in the main GitHub repository.
How does Keycloak work?
The primary concept behind Keycloak is to offer a straightforward yet secure method of authentication and user management.
To illustrate this with an example user story, as the owner of a service such as a web application, I can direct all incoming users to Keycloak. It will then authenticate them securely and redirect them back to my site along with relevant information about them. This information can be used by the website to deliver personalized content. Additionally, if a user doesn't have an account yet, they can utilize Keycloak's built-in functionality for user registration. In terms of security, Keycloak relies on standard protocols and offers support for OpenID Connect, OAuth 2.0, and SAML.
Furthermore, Keycloak allows extensive customization options for various authentication aspects, which can be easily configured through a modern user interface. Some examples of these customizations include adding social login options (e.g., Google, Facebook, Github) to the login page, matching the login form and account management with the web application's design through theming, management of multi-factor authentication, setting the session length before re-authentication is required, defining password policies (e.g., length, special characters, digits) and many more. For more details, visit www.keycloak.org.
Why did you pick Java?
I don't hold any strong convictions either in favor of or against Java. I perceive it as a tool that I use in my daily work, and I find satisfaction in working with it. However, I acknowledge that it may not necessarily be the optimal language for all purposes.
What is the most challenging problem that’s been solved in Keycloak, so far ?
Personally, I find the most challenging issues to be related to new code additions that involve the SAML protocol part of the Keycloak codebase. This particular portion of the code was inherited from the Picketlink project, making it somewhat of a legacy code. Despite the numerous refactorings we have already performed, comprehending it can still be difficult at times. Moreover, this code carries significant importance and is security-sensitive, necessitating extensive time devoted to studying the specification in order to ensure compliance.
To illustrate, consider a pull request for the implementation of SAML Artifact binding. This serves as a remarkable example of the strength and capabilities of Keycloak's community. Originally initiated by a community member, the pull request was subsequently adopted by our team. We made certain adjustments to align with our requirements and successfully integrated the change into Keycloak.
How does Keycloak's sponsorship by Red Hat impact the development and future of the product?
The majority of Keycloak's core developers are employees of Red Hat, so there certainly is some impact.
Red Hat sells Keycloak as a product called Red Hat Build of Keycloak (RHBK), previously known as Red Hat Single Sign On (RHSSO). This product offers essentially the same functionality as Keycloak, but with the added benefit of support provided by Red Hat. When customers encounter issues, they can reach out to our support team for assistance. If the support team is able to resolve the problem without involving the development team, we may not even be aware that there was an issue. However, if the problem requires code changes or in-depth knowledge of the codebase, the development team steps in and provides a prompt fix if necessary. Personally, I don't encounter this situation very often. Most of my time is dedicated to community tasks such as bug triaging, code reviews, and developing new features.
As for the future of the product, we strive to consider the perspectives of both the community and the customers. We receive a lot of feedback through community channels, which helps us identify and address issues that users are facing. On the other hand, customers occasionally provide valuable insights based on their extensive deployments. However, there is a drawback in that many users and customers are hesitant to share detailed information due to security concerns surrounding such sensitive data.
Can you describe any use cases or success stories where Keycloak has been particularly effective?
Answering this question is challenging as I am unable to provide public comments about our customers. Additionally, since Keycloak is an open-source project, it is difficult to determine the exact number of users. However, some companies have openly stated their adoption of Keycloak in our main repository.
In recent years, our focus has been on enhancing the user experience in the cloud and achieving greater cloud-native capabilities. This effort has yielded a significant accomplishment, as Keycloak was accepted as an incubating project by the Cloud Native Computing Foundation (CNCF). During the application process, several companies supported our case, indicating their usage of Keycloak as well. You can find the list of supporting companies in the following link.
What was the most surprising thing you learned while working on Keycloak?
It is amazing to see the amount of contributions the Keycloak project receives. Before I joined the Keycloak team, I had no idea people put in so much free time to contribute to open-source projects.
What is the best way for a new developer to contribute to Keycloak?
Personally, I'd begin by getting hands-on experience with Keycloak. You can start by opening the project in an IDE and running it locally. Try securing some simple applications (maybe some from our quickstarts) and run Keycloak in debug mode to observe the requests it receives and its behavior.
Every pull request in Keycloak should include relevant tests. I'd suggest exploring our test suite to get familiar with the basic concepts and perhaps attempt writing some simple test scenarios.
Next, you can dive into our issue tracker. The issues can be filtered based on different areas of interest. For example, if you're keen on OpenID implementation issues, you can filter them using the "area/oidc" label. Other helpful labels for potential contributors include "good first issue" and "help wanted".
When you decide to work on an issue, leave a comment stating your intention and discuss any concerns or questions you may have. After you've made the necessary code changes, accompanied by a reasonable test coverage, submit a pull request.
It's worth noting that receiving feedback on the changes may take some time, so please be patient during this process. Once your changes are included in the next release, make sure to appreciate the awesome feeling of being part of this fantastic community and knowing that your improvements are now being enjoyed by many users!
Where do you see the project heading next?
Securing a spot in the CNCF is a major milestone for Keycloak, but our journey doesn't stop there. We're determined to enhance Keycloak's performance with Kubernetes and build upon the great work we've already begun. One area we're focused on is optimizing cross-data center scenarios, a feature frequently requested by users. We're eager to improve and meet their expectations.
What is one question you would like to ask another open-source developer that I didn’t ask you?
I believe the questions around the project were sufficient, so maybe something around hobbies?
Tell us about your hobbies and interests!
I'm a huge sports fan! This year, I got into running regularly, and I'm super happy with how much progress I've made. Besides running, I also play football and badminton on a regular basis. And when it's winter, you'll often find me chilling in a sauna. After a satisfying sports activity, I enjoy relaxing with friends and having a beer. Well, it's almost a requirement since I'm currently living in the Czech Republic.
Apart from sports, I'm also really into reading books, especially non-fiction stuff that's packed with interesting facts. I love learning new things! Some of my favorite reads are Matthew Walker's "Why We Sleep" and Hans Rosling et al.'s "Factfulness." They're super enlightening!
Want to join the conversation about one of the projects featured this week? Drop a comment, or see what others are saying!
Interested in sponsoring the newsletter or know of any cool projects or interesting developers you want us to interview? Reach out at osh@codesee.io or mention us @ConsoleWeekly!