Attending this event?
Back To Schedule
Friday, January 28 • 12:30pm - 1:20pm
New storage for Keycloak

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Keycloak (https://www.keycloak.org/) is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. To provide identity and metadata about identity of the accessing subject, it processes a significant amount of data about users, groups, requesting applications and many more.

A couple of components are used in this processing, and one of them is (obviously) a storage. Current storage is a combination of relational database and Infinispan. With a greater adoption, it turned out that it has not been designed for a load and extendability that is requested today from a modern project - e.g. it is not possible to freely upgrade Keycloak store without downtime, some use cases hit performance limits, and it is very hard to extend apart from a custom user storage. These drawbacks then led to the decision to spin up a development of completely new store that would address all of the following features:

- No-downtime upgradability
- Fix performance issues of the current storage
- Make it easy to implement and plug in a custom store for selected area (e.g. roles, users)
- Support for text-file configuration
- Support for cloud storages

The newly developed storage is called map storage. It extracts CRUD operations from the existing Keycloak storage layer, and exposes them to the developer. A custom storage can then be developed by implementing this simpler generic interface. This is an improved experience in comparison with the current storage where a number of very specific methods would have to be implemented. This makes it easy to e.g. implement a purely in-memory storage that would read its state from an external YAML file which could be provided e.g. from a Kubernetes configuration.

The other interesting aspect is composition of map storages into a tree. This is needed for example for composing the storages (this is called a federation in the current storage), and adding a caching layer on top of storages. The tree structure allows for creating a flexible structure on the map storage, and brings its own set of problems e.g. with invalidations.

The development of this store has been started already and we are in the middle of getting the new store to a production-ready grade. At this stage, there is an in-memory store available, and there is ongoing development of Postgresql and Infinispan / Hot Rod stores.

In the talks, we will describe the current state of the development as well as methodology on how to create a new custom map storage, and dive into the details of the tree storage and what is needed to build a custom map storage integrable into a tree storage.

Session chairs: Lubomir Terifaj and Michal Ruprich


Hynek Mlnařík

Keycloak maintainer, Associate Manager, Red Hat
Hynek leads the development of the new storage layer for Keycloak.

Michal Hajas

Senior Software Engineer, Red Hat
Michal is a senior software engineer working in Red Hat on the Keycloak project for 6 years. He started on a quality engineering position and then moved to the developer's team to be part of a sub-team working on the architecture and implementation of the new storage layer.

Friday January 28, 2022 12:30pm - 1:20pm CET
Session Room 3