Solution to the installation problem : Keycloak M1 Chip

Hello, My name is Ashi Singh.

I joined KINTO Technologies in Feb 2022, and am part of the Global Development Group. I am an application developer and currently working as an engineer on the back office system being developed by Global Development G.

Overview

My team is in charge of developing and maintaining microservices as a base package for use of other global teams. Authentication and authorization are the main features that we want to include in this base package. We want an authentication solution that does not depend much on cloud technology so we decided to investigate Keycloak as a possible choice.

What is Keycloak?

Keycloak is an open-source identity access and management (IAM) solution that adds authentication to applications and secure services with minimum effort. Keycloak provides user federation, strong authentication, user management and more. Keycloak supports mainly three types of protocols, which include OpenID Connect, OAuth 2.0, and SAML 2.0. It supports both Single Sign-On and Single Sign-Out fully. It is fast and flexible and has the capability to manage the accounts of users seamlessly and maintain data as well as sessions.

Keycloak Official Page

Keycloak was interesting to us because in the future we wanted to use it with different cloud architectures and we did not want to restrict ourselves to a single one.

Problem

In order to start our investigation of Keycloak, the first step is to test it out on our local environment.

In our team, we have equal number of developers using Windows and MacOS. (KINTO Technologies lets us use whichever OS we are most comfortable with!)

During this initial set-up, we found that Windows users as well as MacOS with Intel chip users have no problem with the Keycloak docker image. However, those with newer MacOS machines - mainly the M1 chip - ran into an error whenever you tried to start it up.

Settings used before errors are given below :

• Keycloak Docker Image Version : jboss/keycloak:16.1.1
  [This image was used because image jboss/keycloak:16.1.1 was the latest one used in the project . Also easy to do configuration with that]
• My Local PC Version : MacBook Air (M1, 2020) Apple M1 [macOS Monterey]

Solution

As when I was working with M1 machine in the team, I got assigned to the task. During my deep dive into the problem, I found that the JBoss image that Keycloak is using is not compatible with the M1 chip.

The one solution I found was changing the docker image in the Mac M1 machine. So in Mac M1 we are using wizzn/keycloak:14 as the Keycloak docker image instead of the usual jboss/keycloak:16.1.1 image. Changes in the configuration files are needed as well in order to make it work.

Changes needed

1. docker-compose.yml

The first step to run Keycloak on local is to change the docker image to wizzn/keycloak:14.

Change the order in the volumes section like this:

volumes:
- ./custom-scripts/:/opt/jboss/startup-scripts/ 
- ./import/backoffice-realm.json:/tmp/backoffice-realm.json.orig #move to after startup-scripts
- ./keycloak/themes/your-default-theme:/opt/jboss/keycloak/themes/your-default-theme
- ./keycloak/configuration/mysql/change-database.cli:/opt/jboss/tools/cli/databases/mysql/change-database.cli #move to the last

All the other scripts that are required to be added in the volume section can be added in the middle of ./import/backoffice-realm.json and ./keycloak/configuration/mysql/change-database.cli

2. change-database.cli

Then we remove the explicitly defined database settings that are already defined in database (change-database.cli) file.

In this file, we make the changes as shown in green

3. Changes in the Dockerfile

In the Dockerfile change the docker image as wizzn/keycloak:14

4. Run the Keycloak

Run the Keycloak using docker compose up -d

Keycloak: Good or Bad?

After this initial hiccup, we manage to run Keycloak efficiently on both Windows and MacOS systems.

We were able to confirm Keycloak features like out-of-the-box user and role management, MFA authentication, session management, among others. Using Keycloak would save us time compared to us developing those features by ourselves. There is also an option to link various social networks like facebook, twitter, etc., so that you can easily implement social login if needed.

But still, there are some areas that need to be addressed. In Keycloak the customization is quite difficult and it needs more time for the developers to do the changes. Keycloak is still an open-source project so you do not have any guarantee provided by its developer about the road map, and things like bugfixes are taken care of via GitHub issues with no hard deadlines for response time.

But as said if there is a solution then it will have some cons, but the ability to easily manage and run this solution outweighs other criteria as it can be used as a major solution going forward.