Book review: "Keycloak - Identity and Access Management for Modern Applications"
[Disclosure: I received a reviewer's copy as I have relevant domain expertise. I did not receive any compensation nor was my review vetted, so it is solely my own view.]
As a preface to my review, my view is that this book is aimed squarely at those who want a pragmatic and practical guide to Keycloak best practices, ensuring a robust and production-grade deployment. Hence, it is ideal for developers and architects who want to make the most of Keycloak and do not already have an in-depth knowledge of SSO concepts. If you are looking for a compendium on writing Keycloak extensions, or deep theory on security protocols, this is not the book for you. That said, even if you are already familiar with the landscape more broadly, you will likely find some useful nuggets in this book.
The book begins by outlining the basic premise of SSO, and the philosophy of Keycloak. In short, security is hard to get right; don't try to implement it yourself, it's far safer to delegate to a dedicated platform.
At the outset, there is a quick-fire review of the essential concepts and protocols, enabling readers who have a technical background (but not necessarily security-specific expertise) to quickly familiarise themselves. If you are confused by seemingly endless list of standards and protocols, and want to understand how they all relate to each other (OAuth2, OIDC, JWT, JWKS, JWK , ... etcetera) within the Keycloak context, this publication is useful.
Throughout, the content is direct, practical, and pragmatic focus, summarising the essential information to make good engineering and architectural decisions quickly. It is not prosaic or theoretical, but instead outlines a range of common scenarios and provides recommended solutions — and perhaps more importantly — explicitly tells you what not to do.
For example, recommendations are made for web applications, native applications, mobile applications, and several other categories. For each, recommendations are made, and includes sequence and flow diagrams outlining the protocol interactions. Typically, several alternatives are also proposed for cases where the best approach may be impractical.
Let's say you want to know what the best practices and correct auth flows for a mobile application, this book tells you exactly what you need without any rambling.
A significant proportion of content is focussed on real-world operational needs and best practices. For example, there are chapters on:
• Customisation and extensibility, including visual customisations, flow and approval customisations, etc. Although, I would note that this is not aimed at developers who want to write complex extensions — this is primarily how to drive Keycloak's "out of the box" functionality.
• Configuring a production-grade secure server, and tackling some common difficulties (such as handling proxies, internal vs external network, etc)
In summation, this is a pragmatic guide to Keycloak for devs, ops, and architects. It is not aimed at advanced developers looking to write Keycloak extensions. It condenses together best practices into a single reference handbook that is ideal to get your team up to speed extremely quickly and ensure you are using best practices from day one.