It has been some time since the decision on an authentication solution. In the following, I will share some insights and present the solutions that we have investigated, starting with the requirements.
The requirements are classified into two categorioes: tech and product.
Product
- User management: customer sign in and sign up
- Social login
- OAuth2 server with extendability to add parameter and adjust OIDC flow
- Signle sign-on
- MFA
- REST API: in the future a seprate Frontend can be used like React
Tech
- No SaaS: zero trust to 3rd party provider and solution. It’s decided that Auth0, Okta, Red Hat Keycloak don’t fit because the user data must not be processed by any third party.
- Scalable and maintainable: Kubernatives native support and patching seucrity fix is simple
- Open source with regular patch and Apahce license
Now I will talk about the solutions below one by one
Keycloak
One of the main issues with Keycloak is its compatibility with Kubernetes. It requires a large memory footprint and may be better suited for a virtual machine. For example, the Keycloak Helm chart uses a StatefulSet (as of December 2021) for node discovery and naming issues.
Another issue is the cache relies on Inifispan and you cannot replace itwith Redis: https://issues.redhat.com/browse/KEYCLOAK-13851
To customize Keycloak, you can use the ‘uber jar’ and extend the interface. There are already some existing extensions that can be utilized, which is a more practical solution than trying to find customization opportunities in the entire codebase
The downtime when upgrading the version is unclear. https://www.keycloak.org/docs/latest/upgrading/#running-the-standalone-high-availability-mode-upgrade-script
The REST API part is also not clear. You can customize the frontend a lot, but it’s unclear if you develop a separated frontend, the API is sufficient. For example, to send verification email.
Conclusion: Besides the above drawback, it fits all product features. It will be a good decision if you use VM, or Infrastructure team hosts it.
[Update] From version 17, Quarkus distribution is fully supported and the above issues should be lighter and more k8s friendly https://www.keycloak.org/2022/02/keycloak-1700-released
Ory/Hydra and Ory/Kratos
Ory/Hydra is OAuth2 server and Ory/Kratos provides user management. It follows microservice architecture.
It overcomes the infrastructure drawback of Keycloak so that you don’t have to bring several features that you don’t need, and you can use only the OAuth2 server which is more lightweight.
The helm chart is very clean. The REST API is very clear that I also did the integration with Spring and also customize the sample Frontend it supports and in 1 day.
The community channel replies very fast, too. The only problem is customization is not supported well and you probably would have to change the codebase and implement the changes in Go language.
Conclusion: Without customization requirement, it will be a good choice
CloudFoundry UAA
The main issue is there is no helm chart[checked at 2021 Dec]. The community replies they support deployment using CloudFoundry tool. As our infrastructure doesn’t use CloudFoundry, this is not the choice.
From the documentation it has REST API support, so you can build a separate frontend, but I haven’t tried because the deployment issue already take this option out.
No Conclusion. I think if you like this choice, you can use Spring Authorization Server https://spring.io/blog/2022/11/22/spring-authorization-server-1-0-is-now-ga, which relies on the newer version of spring -security.
Spring Security
At the end Spring Security is decided and https://github.com/Baeldung/spring-security-registration is used as a sample project to customize so the security baseline matches. For example, bcrypt is used when persisting user password.
All the features the product needs have library support. Some may not come directly from Spring Security, but you can find popular libraries there and use them.
As it’s a Spring Boot project, deploying to Kubernatives is simple as other existing Spring applications.
To support OAuth2 server I recommend to take a look at Spring Authorization Server https://spring.io/blog/2022/11/22/spring-authorization-server-1-0-is-now-ga
Or, you can also use Spring Security to provide user management functionality and let Ory/Hydra be the OAuth2 server, if there is no requirement to cusotmize Ory/Hydra
