Alauda Build of Keycloak

SSO and Authentication Protocols

TOC

Single Sign-On (SSO)Single Logout (SLO)Supported ProtocolsOpenID Connect (OIDC)OAuth 2.0SAML 2.0Protocol Selection GuideToken Lifecycle

Single Sign-On (SSO)

Single Sign-On (SSO) is an authentication mechanism that allows users to log in once and gain access to multiple applications without re-entering credentials. Keycloak implements SSO using browser-based session cookies scoped to a Realm.

When a user authenticates with Keycloak:

  1. Keycloak establishes a session and issues a session cookie in the browser.
  2. When the user accesses another application registered in the same Realm, the application redirects to Keycloak.
  3. Keycloak detects the existing session cookie and issues a new token to the application without prompting the user to log in again.

SSO applies within a single Realm. Users must authenticate separately in different Realms.

Single Logout (SLO)

Keycloak also supports Single Logout (SLO). When a user logs out from one application, Keycloak can propagate the logout to all other applications that share the same SSO session, terminating all active sessions simultaneously.

Supported Protocols

Keycloak supports three major identity and authorization protocols:

OpenID Connect (OIDC)

OpenID Connect is a modern identity layer built on top of OAuth 2.0. It is the recommended protocol for most new applications.

Key concepts:

ConceptDescription
ID TokenA JSON Web Token (JWT) containing identity claims about the authenticated user
Access TokenA token granting access to a protected resource or API
Refresh TokenA long-lived token used to obtain new access tokens without re-authentication
UserInfo EndpointA protected endpoint that returns claims about the authenticated user

Common OIDC flows supported by Keycloak:

  • Authorization Code Flow: The standard flow for server-side web applications. The client exchanges an authorization code for tokens.
  • Authorization Code Flow with PKCE: The recommended flow for single-page applications (SPAs) and mobile apps. Adds a code challenge to protect against interception attacks.
  • Client Credentials Flow: Used for machine-to-machine (M2M) communication where no user is involved.
  • Device Authorization Flow: Used for devices with limited input capabilities (smart TVs, IoT devices).

OAuth 2.0

OAuth 2.0 is an authorization framework that allows applications to obtain limited access to user accounts on a third-party service. Keycloak acts as the Authorization Server in OAuth 2.0 flows.

Keycloak supports all standard OAuth 2.0 grant types:

Grant TypeUse Case
authorization_codeWeb and mobile applications with a user present
client_credentialsService-to-service authentication
refresh_tokenObtaining new access tokens using a refresh token
device_codeBrowserless or input-constrained devices

SAML 2.0

Security Assertion Markup Language (SAML) 2.0 is an XML-based protocol widely used in enterprise identity federation. Keycloak supports SAML as both a Service Provider (SP) and an Identity Provider (IdP).

Common SAML use cases in Keycloak:

  • Integrating with enterprise identity providers (Active Directory Federation Services, Azure AD) that use SAML.
  • Providing SSO for legacy enterprise applications that only support SAML.

Protocol Selection Guide

ScenarioRecommended Protocol
New web applicationOpenID Connect (Authorization Code + PKCE)
Single-page application (SPA)OpenID Connect (Authorization Code + PKCE)
Mobile applicationOpenID Connect (Authorization Code + PKCE)
Microservice / API accessOAuth 2.0 (Client Credentials)
Legacy enterprise applicationSAML 2.0
IoT / smart deviceOpenID Connect (Device Authorization Flow)

Token Lifecycle

Keycloak issues time-limited tokens. Token lifespans are configurable per Realm:

Token TypeDefault LifespanConfiguration
Access Token5 minutesaccessTokenLifespan
Refresh Token30 minutes (session-bound)ssoSessionMaxLifespan
ID Token5 minutesSame as access token

Short-lived access tokens reduce the risk of token theft. Applications should use the refresh token to obtain new access tokens transparently.