Rails and Keycloak, Authentication Authorization, part one

First things first, what is Keycloak? and why would you want to use it with Rails?

What is Keycloak?

Keycloak is an open source identity and access management under the CNCF.

What does that mean?
In simple words: Keycloak will find out the identify of your visitors and make sure they are who they claim to be, and maybe grant them proper access to certain resources.

What does Keycloak do for me?

It acts as a standalone authentication system for all your application, Rails, Django, Nodes, etc ...
Your application is an OpenID client that trusts Keycloak.
Keycloak helps you can keep all authentication logic out of your application.
For example:

• You can set Google, Microsoft, Gihtub login in Keycloak, and all your applications will get those for free.
• Web Authentication, user registration, forgot password, etc ...

Keycloak is highly configurable. You can change Keycloak's behavior without deployment.
You can configure Keycloak using:

1. Keycloak web interface
2. Terraform or opentofu using terraform-provider
3. REST API
4. Third party libraries that use Keycloak REST APIs, for example Keycloak Admin Ruby

Keycloak is also highly theme-able.

Shall I use Keycloak with Ruby on Rails?

Authentication

Authentication means: making sure someone is in fact who he claims to be.

There are numerous options for authentication for Rails, for example:

Option 1:

You can keep things simple, and use Rails built in authenticate_by.

class User < ActiveRecord::Base
  has_secure_password
end

User.create(name: "John Doe", email: "jdoe@example.com", password: "abc123")

User.authenticate_by(email: "jdoe@example.com", password: "abc123").name 

Option 2:

Use devise gem, which is probably the most famous rails authentication system.

Option 3:

Use revise gem, which is very similar to devise gem.

What ever option your choose, you won't go wrong.
But what if you want your users to login seamlessly using the same credentials to your other applications.

You can use doorkeeper gem. Which can convert your Rails application into an identity provider. But this means that one of your applications will be the single source of truth for users management.

Authorization

Authorization means granting users access to specific resources after being authenticated successfully.

There are several options, for example:

1. CanCanCan.
2. Pundit.

Both are great options, they are baked for Rails. and each has it's own fan base.

Can Keycloak totally replace Rails authorization systems?

Nope.
CanCanCan & Pundit have the advantage of database access, they can offer fine grained access to every user.

Can Keycloak support Rails authorization systems?

If Keycloak has the users classified into groups, and groups are granted role, Keycloak can offer an extra layer of security for APIs.

We will setup Keycloak authorization for APIs in part 3 of this series.

In part two of this series, we will:

• Setup Keycloak using docker and (terraform or opentofu)
• Create a Rails demo application and set it up with Keycloak using omniauth.

In part three of this series, we will:

• Setup Rails with Keycloak for authorization