Keycloak SSO — Identity and Access Management in Practice
A practical guide to setting up Keycloak for Single Sign-On, integrating Google OAuth2, enabling email/password authentication, and deploying securely to production.
Keycloak Version: 24+ / 25+ Running Project: SecureHub — a multi-application SSO platform built end-to-end Audience: Backend engineers, DevOps engineers, full-stack developers
What You Will Learn
- Understand OAuth2 and OpenID Connect from first principles
- Install and configure Keycloak locally using Docker
- Create realms, clients, users, groups, and roles
- Implement Authorization Code + PKCE flow for web apps
- Add Google OAuth2 social login in under 15 minutes
- Configure email/password auth with verification and MFA
- Protect PHP application routes using JWT token validation
- Manage users programmatically via the Keycloak Admin REST API
- Deploy Keycloak to production with PostgreSQL, Nginx, and TLS
Table of Contents
Chapter 01 — SSO and Identity Concepts
- 01 — What is SSO: Federation, Delegated Auth, Identity Providers
- 02 — OAuth2 and OpenID Connect: Authorization vs Authentication
- 03 — JWTs: Header, Payload, Signature, Claims, Scopes
Chapter 02 — Keycloak Introduction
- 01 — Keycloak Architecture: Realm, Client, User, Token Flows
- 02 — Keycloak vs Auth0 vs Okta vs Authentik
- 03 — Admin Console Walkthrough: Realms, Sessions, Events
Chapter 03 — Local Installation with Docker
- 01 — Docker Compose: Keycloak + PostgreSQL with Persistent Volumes
- 02 — Dev Mode vs Production Mode
- 03 — First Login, Admin Credentials, Bootstrap Realm
Chapter 04 — Realms, Clients, and Users
- 01 — Creating and Managing Realms
- 02 — Client Types: Public, Confidential, Bearer-Only
- 03 — Users, Groups, Roles, and Custom Attributes
Chapter 05 — Authentication Flows
- 01 — Authorization Code + PKCE: Step-by-Step
- 02 — Client Credentials Flow (Machine-to-Machine)
- 03 — Resource Owner Password Flow: When to Use and Avoid
Chapter 06 — Google OAuth2 Social Login
- 01 — Google Cloud Console: OAuth2 App Setup
- 02 — Keycloak Identity Provider: Linking Google to a Realm
- 03 — Attribute Mappers: Syncing Email, Name, Avatar
Chapter 07 — Email/Password Authentication
- 01 — Built-in Registration, Login, and Remember-Me
- 02 — Email Verification and Password Reset Flows
- 03 — Brute-Force Protection, TOTP/OTP MFA, WebAuthn
Chapter 08 — Roles and Authorization
- 01 — Realm Roles vs Client Roles
- 02 — Composite Roles, Role Hierarchy, Role Mappers in Tokens
- 03 — Fine-Grained Authorization: Policies, Permissions, UMA
Chapter 09 — PHP Application Integration
- 01 — OIDC Client Libraries for PHP
- 02 — Validating JWTs in PHP: Signature, exp, iss, aud
- 03 — Protecting Routes with PHP Middleware
Chapter 10 — Keycloak Admin REST API
- 01 — Getting an Admin Token, Service Account Setup
- 02 — Managing Users via API: Create, Update, Reset Password
- 03 — Realm Events, Admin Events, and Audit Logging
Chapter 11 — Cloud and Clustered Deployment
- 01 — Keycloak on Docker Swarm / Kubernetes (Helm)
- 02 — Database Clustering and Infinispan Distributed Cache
- 03 — Reverse Proxy: Nginx/Traefik, X-Forwarded Headers
Chapter 12 — Production Hardening
- 01 — TLS Termination, Certificate Management, HSTS
- 02 — Token Security: Short-Lived Tokens, Refresh Rotation
- 03 — Health Checks, Prometheus Metrics, Grafana Dashboard
Architecture Overview
┌──────────────────────────────────────────────────────┐
│ Your Applications │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Web App A │ │ Web App B │ │ API / M2M │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
└─────────┼────────────────┼────────────────┼──────────┘
│ OAuth2/OIDC │ │ Client Credentials
▼ ▼ ▼
┌─────────────────────────────────────────────────────┐
│ Keycloak (IAM) │
│ ┌──────────┐ ┌──────────┐ ┌───────────────────┐ │
│ │ Realm A │ │ Realm B │ │ Identity Prov. │ │
│ │ (prod) │ │ (dev) │ │ Google, GitHub │ │
│ └──────────┘ └──────────┘ └───────────────────┘ │
└─────────────────────────────────────────────────────┘
│
▼
┌────────────────────┐
│ PostgreSQL DB │
└────────────────────┘
Prerequisites
- Docker Desktop installed
- Basic understanding of HTTP and web authentication
- A PHP project or Laravel application to integrate with
Key Technologies
| Technology | Role |
|---|---|
| Keycloak 24+ | Identity and Access Management server |
| OpenID Connect | Authentication protocol on top of OAuth2 |
| OAuth2 | Authorization framework |
| JWT | Token format for identity assertions |
| PostgreSQL | Keycloak persistent storage |
| Docker Compose | Local development environment |
| PHP 8.3 | Application integration language |