What is Keycloak ?

Keycloak is used to manage user authentication and access control for application and services, provides centralized security through features like Single Sign-On (SSO), identity brokering (connecting to external identity providers like Google or corporate directories), and user management. It acts as an Identity and Access Management (IAM) tool to secure modern applications, mobile apps, and REST APIs by simplifying the process of adding authentication and protecting services.

Features & Use Cases:

• Single Sign-On (SSO): Users log in once to Keycloak and can then access multiple connected applications without re-entering their credentials.
  
• Identity Brokering: Allows users to log in using existing external identity providers, such as social media accounts (like Google or Facebook) or enterprise user directories like LDAP and Active Directory.
• Authentication & Authorization: Keycloack handles user identity verification and then grants or denies access to resources based on defined policies.
• User Management: Provides an Admin Console for configuring users, roles, and groups, and an Account Management Console for users to manage their own profiles.
• Security Protocols: Supports standard authentication protocols such as Open ID Connect and SAML 2.0, using token like JWTs for secure communication.
• Client Adapters: Help secure different types of applications (web, mobile, REST APIs) with minimal effort.
  
• Customization: Offers theming for UI customization and extensibility through code, as well as ability to define password policies.

What is OKTA ?

Okta is a cloud-based identity and access management (IAM) platform that secures and streamlines user access to applications and resources across any device. It provides Single Sign-On(SSO) to reduce multiple logins, enables multi-factor authentication (MFA) for added security, and offers administrative tools to manage user identities and access policies for both employees and customers.

Key Functions:

• Single Sign-On (SSO): Users can log in once to access all their connected applications and services without re-entering credentials for each one.
• Multi-Factor Authentication (MFA): Adds layers of security beyond a simple password by requiring users to provide multiple forms of verification, such as a code from a mobile app or a fingerprint.
• Universal Directory: A centralized user directory that manages identities across different applications, simplifying user provisioning and deprovisioning.
• Adaptative Security Policies: Allows administrators to set dynamic security rules based on factors like a user's location, device or behavior, providing flexible and responsive security.
• Integration and Connectivity: Okta integrates with thousands of applications through its Okta Integration Network (OIN), connecting any user to any application.
  
• Developer Tools: Provides APIs and SDKs for developers to build identity controls directly into their own applications.

Difference between OAuth 2.0 and OpenID Connect

OAuth 2.0 is an authorization framework for granting limited access to resources, while OpenID connect (OIDC) is an authentication layer built on top of OAuth 2.0, providing a standardized way for clients to verify user identity and obtain basic user profile information via an ID Token (a JWT) in addition to the OAuth access token.

OAuth 2.0 Flow (Authorization)

• Focus: Grants access to resources (e.g. an API) on behalf of a user.
• Purpose: Allows a third-party application to perform actions or access data on another service without needing the user's credentials.
• Tokens: Issues an Access Token, which is used to access the user's resources.
• User Information: Does not standardize or provide  user identity information; its focus is on the granted permissions (scopes).

Open ID Connect Flow (Authentication)

• Focus: Authenticated a user and provides identity information to the client application.
• Purpose: Enables Single Sign-On(SSO) and allows applications to get basic user profile data, such as name and email.
• Tokens: Issues both an Access Token and an ID Token. The ID Token is a JWT containing user identity and authentication details.
• User Information: Defines scopes like openid, profile, and email, to request specific user profile information that is returned in the ID Token.
• Mechanism: It's an extension of OAuth 2.0; the "openid" scope is required to make a request an OIDC request.

Summary