I’ve lost count on how many times I’ve done this:

  • start a project
  • build a login screen
  • build the login procedure
  • thought for a couple of minutes/hours/days about the password storage
  • debugged the login screen
  • debugged the login procedure
  • build a “what’s my password” feature
  • build a “manage my account” feature
  • integrated with social logins
  • debugged the social logins
  • started the actual project

And in the end, we are never sure if we missed something, specially related to security. Reminder: broken auth and session management is on position 2 of OWASP’s Top 10.

If this sounds like something you’ve done as well, I’d then recommend to take a look at the project Keycloak. It’s an open source software for managing the users of your application, with a whole lot of features that you’d expect from a tool like this.

Granted, the tools is still in alpha, but I’m using it already for a couple of personal projects, with great success. Of special mention is the ability to easily detatch your front end to your backend, with the usage of JSON Web Tokens: with it, you don’t need to keep a state at all on the server side, usually a problem with APIs whose main consumer is a front end application.

And if your application happens to be hosted on a Wildfly/JBoss AS, you can use the Keycloak subsystem and have your application to be agnostic of the authentication/authorization procedores. It’s JAAS being cool again :-)