Login/Register
Does Keycloak need a database
Asked Answered
Solved keycloakkeycloak-services
C

1

10

I have setup Keycloak as a SAML broker, and authentication is done by an external IdP provided by the authorities. Users logging in using this IdP are all accepted and all we need from Keycloak is an OAuth token to access our system. I have tried both the default setup using H2 and running with an external MariaDB.

The external IdP provides us with a full name of the user and a personal ID. Both data are covered by GDPR and I really do not like the sound of storing that data in a database running in the DMZ. Opening up for Keycloak to access a database in the backend is also not a good solution, especially when I do not need users to be stored.

The benefit of running without a database is that I have a simpler DMZ setup as I really do not need to store anything about the users but on the backend.

Do I need a database, and if not how do I run Keycloak without it?

Cambridge answered 25/3, 2021 at 14:39 Comment(0)
B
18

Do I need a database, and if not how do I run Keycloak without it?

Yes, however, out-of-the-box Keycloak runs without having to deploy any external DB. From the Keycloak official documentation section Relational Database Setup one can read:

Keycloak comes with its own embedded Java-based relational database called H2. This is the default database that Keycloak will use to persist data and really only exists so that you can run the authentication server out of the box.

So out-of-the-box you cannot run Keycloak without a DB.

That being said from the same documentation on can read:

We highly recommend that you replace it with a more production ready external database. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either.

So regarding this:

The benefit running without a database is that I have a simpler DMZ setup as I really do not need to store anything about the users but on the backend.

You would still be better offer deploying another DB, because Keycloak stores more than just the users information in DB (e.g., realm information, groups, roles and so on).

The external IdP provides us with a full name of the user and a personal ID. Both data are covered by GDPR and I really do not like the sound of storing that data in a database running in the DMZ. Opening up for Keycloak to access a database in the backend is also not a good solution, especially when I do not need users to be stored.

You can configured that IDP and Keycloak in a manner that the users are not imported to the Keycloak whenever those user authenticate.

Becka answered 25/3, 2021 at 14:43 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.