DEV Community: Samuel Mutemi

Microservices or Micro-progress? The Perils of Pre-Scaling Too Soon

Samuel Mutemi — Fri, 15 Aug 2025 21:28:09 +0000

The Grand Illusion of "Future-Proof" Code

Ah, the siren song of scalability. It whispers sweet nothings into our ears: "Build it right the first time," "You’ll thank yourself later," "What if you get 10 million users tomorrow?" And before you know it, you’ve spent three months architecting a dazzling microservices masterpiece, only to realize your "scalable" app has exactly one user: you, refreshing the page in incognito mode.

This was me. I was that developer. Convinced that my side project needed a Kubernetes cluster, a distributed notification system, and a payment service that could handle Stripe-level traffic, despite the fact that my MVP was still just a glorified to-do list.

The Hard Truth: Scale Doesn’t Matter If Nobody Cares

Here’s the uncomfortable reality: You cannot optimize for problems you don’t have yet.

Are you drowning in user traffic? → No? Then why are you building a CDN?
Do you have 10,000 concurrent payment requests? → No? Then why are you overengineering Stripe?
Are your notifications crashing under load? → No? Then why did you build a pub-sub system when Novu’s free tier exists?

I had to face the music: I wasn’t building for scale, I was procrasti-scaling. Avoiding the real work (making something people actually wanted) by obsessing over infrastructure that might matter someday.

The Pivot: From Over-Engineered to "Good Enough"

So I did the unthinkable: I deleted months of work and replaced it with:

Supabase (Auth + DB) → Free tier. Works. Done.
Novu (Notifications) → Free tier. Works. Done.
Stripe (Payments) → Basic integration. Works. Done.

Suddenly, I was making real progress - not on infrastructure, but on the actual product. And guess what? If (big if) my app ever outgrows these tools, I’ll cross that bridge when I get there.

The Lesson: Build Stupid First

Your first version should be embarrassingly simple. Not because you’re lazy, but because:

You don’t yet know what needs scaling. (Most things won’t.)
Premature optimization is the root of all evil. (Or at least wasted time.)
Your biggest risk isn’t scale, it’s building something nobody wants.

So next time you catch yourself designing a Kafka pipeline for your cat blog, ask:

"Is this solving a real problem, or just my fear of hypothetical ones?"

Because in the end, a working app with limits beats an unfinished "scalable" one every time.

Now go build something stupid. You can always make it smart later. 🚀

Setting Up Keycloak for Passwordless Authentication

Samuel Mutemi — Wed, 28 May 2025 09:57:59 +0000

Passwordless authentication is becoming a must-have for modern applications, no more forgotten passwords, just seamless access via magic links, biometrics, or security keys. Keycloak, the popular open-source identity and access management solution, makes implementing passwordless auth surprisingly straightforward.

In this guide, we’ll walk through configuring Keycloak to support email-based magic links (a common passwordless approach). Let’s dive in!

Prerequisites

A running Keycloak instance (v20+)
SMTP server access (for sending magic links)
Basic familiarity with Keycloak admin console

Step 1: Enable Email Verification

Since passwordless auth relies on email links, we first need to ensure Keycloak can send emails.

Configure SMTP settings
- Go to Realm Settings → Email
- Fill in your SMTP server details (e.g., Gmail, SendGrid, Postmark)

   Host: smtp.example.com  
   Port: 587  
   From: no-reply@yourdomain.com  
   Enable SSL/TLS: Yes  
   Authentication: Enabled (provide credentials)

Test email delivery
- Click Test connection to verify everything works.

Step 2: Set Up Passwordless Authentication Flow

Keycloak uses authentication flows to define login steps. We’ll customize the default flow.

Create a new authentication flow
- Navigate to Authentication → Flows
- Click New flow, name it (e.g., "Passwordless Email")
Add required steps
- Under your new flow, add these executions:
  - Username Form (for email input)
  - Send Email Verification Link (replaces password check)
  - Conditional User Role (optional, for additional security)
Disable password requirement
- Go to Realm Settings → Login
- Disable "Password" as a required credential

Step 3: Customize the Magic Link Email

Keycloak sends a verification email, let’s make it user-friendly.

Edit the email template
- Go to Realm Settings → Email → Templates
- Modify "Verify Email" to include a clear call-to-action:

   <p>Click below to log in:</p>  
   <a href="${url}" style="background: #2563eb; color: white; padding: 10px 20px; text-decoration: none; border-radius: 5px;">Sign In Instantly</a>

Set link expiration
- Under Realm Settings → Tokens, adjust "Email Verification Link Lifespan" (e.g., 15 minutes).

Step 4: Test the Flow

Try logging in as a test user.
Instead of a password field, you’ll see an email input.
After submitting, check your inbox for the magic link.
Clicking it should log you in directly!

Bonus: Adding WebAuthn (Biometric Auth)

For a more advanced passwordless experience, enable WebAuthn (for security keys/biometrics):

Go to Authentication → Flows
Add "WebAuthn Authenticator" as an alternative.

Final Thoughts

Keycloak makes passwordless auth surprisingly simple. With just a few tweaks, you can replace clunky passwords with secure, user-friendly magic links or biometric logins.

Need help? Check out the official Keycloak docs or drop a question below!

AI in Corporate: The Coming Wave of Disastrous Blunders

Samuel Mutemi — Wed, 14 May 2025 18:50:38 +0000

How AI-Powered Tools Will Accidentally Wreck Prod (And Maybe Some Companies)

We’re in the early days of AI integration in corporate environments, and I’m willing to bet we’re about to see an avalanche of catastrophic mistakes.

Picture this:

A well-meaning infrastructure engineer, eager to speed up their workflow, starts using an AI-powered IDE like Cursor with the "auto-perform commands" feature enabled. They explain a problem—maybe not perfectly, maybe missing some key context—and the AI, confident as ever, starts running terminal commands the engineer has never even seen before.

Before they know it:

Database tables are dropped.
Configs are overwritten.
Prod is a smoking crater.

And the worst part? No one fully understands what happened because the AI made decisions based on incomplete or misinterpreted context.

Why This Will Happen Over and Over

Over-Trust in AI’s “Understanding”
- AI doesn’t reason—it predicts. If your prompt is ambiguous, it will still generate something, and that something might be rm -rf in the wrong directory.
The Illusion of Control
- Tools that auto-execute commands (like GitHub Copilot with shell gen, Cursor’s AI agent, etc.) remove the human review step. Engineers might assume the AI "gets it" until it very clearly doesn’t.
Silent Failures
- Unlike a human who might say "Wait, this looks dangerous," AI will happily run destructive commands with confidence. By the time logs are checked, it’s too late.

The Fallout: AI Will Kill Some Companies

We’ve already seen AI blunders:

Legal briefs citing fake cases (because the AI hallucinated precedents).
Customer service bots going rogue (see: Air Canada’s chatbot inventing refund policies).

Now imagine:

A fintech AI misinterprets a deployment script and wipes transaction records.
A cloud AI "optimizes" costs by deleting "unused" resources… like prod databases.

Some companies won’t recover from these mistakes—especially if they happen at scale.

How to Survive the AI Wild West

Treat AI Like a Junior Dev Who Lies Sometimes
- Always review generated code/commands before execution.
- Sandbox everything before it touches prod.
Disable Auto-Execute (For Now)
- Tools that let AI run commands directly are dangerous. Keep it in "suggestion mode" until guardrails improve.
Assume It Will Fail
- Log every AI-generated action.
- Build rollback plans for when (not if) AI breaks something.

The Bottom Line

AI is powerful, but we’re in the "move fast and break things" phase—except now, the "things" might be entire companies.

Brace for the chaos. The first wave of AI-induced disasters is coming.

What’s the worst AI blunder you’ve seen (or caused)? Drop your horror stories below. 👇

AI Won’t Replace Developers Anytime Soon—Here’s Why

Samuel Mutemi — Wed, 07 May 2025 18:15:53 +0000

(Critiques of the distant future, please consider the date of publication 😅)

The Promise (and Pitfalls) of AI-Generated Code

AI coding assistants like Cursor and Claude have been game-changers for developer productivity. They can scaffold entire applications, debug tricky issues, and even explain complex concepts in seconds. But can they fully replace software engineers?

Not yet—and here’s a funny (and frustrating) example of why.

The Case of the Broken Countdown Timer

I recently asked Cursor to generate a Next.js landing page with a countdown timer to my product launch. It did most of the work well—the UI looked great, the logic seemed sound, but when I tested it… the timer was stuck.

I alerted the AI, but instead of fixing the issue, it just:

Repeated the same code
Gave me a generic checklist (e.g., "Check if the date is correct")
Missed the glaring problem

Next, I pasted the code into Claude. It thought it was a hydration issue (a reasonable guess in Next.js) and tweaked the code—but the timer still didn’t work.

The Obvious Bug AI Missed

After some manual debugging (thankfully, I know JavaScript), I spotted the issue:

function getTimeLeft() {
  const launchDate = new Date(); // 🚨 Problem: This resets EVERY render!
  launchDate.setDate(launchDate.getDate() + 35); // 5 weeks from today
  const now = new Date();
  const diff = launchDate.getTime() - now.getTime();
  // ... rest of the logic
}

The bug? launchDate was being recalculated on every render, meaning the countdown always showed 0 (since now and launchDate were effectively the same time).

The fix? **Make launchDate a static field (From what future date are we counting down?):

const LAUNCH_DATE = new Date("2025-06-01");

function getTimeLeft() {
  const now = new Date();
  const diff = LAUNCH_DATE.getTime() - now.getTime();
  // ... rest of the logic
}

Why AI Still Needs Human Oversight

AI Lacks Deep Context
- It didn’t realize launchDate should be static.
- It followed patterns but didn’t understand the intent.
Debugging Requires Reasoning, Not Just Repetition
- Both assistants gave plausible suggestions but didn’t diagnose the root cause.
Trivial Mistakes Are Hard for AI to Spot
- Humans recognize "obvious" errors faster because we think in terms of goals, not just syntax.

The Verdict: AI is a Powerful Assistant, Not a Replacement

AI has made incredible progress, but it still:

✔ Struggles with nuanced logic

✔ Misses simple but critical bugs

✔ Needs human guidance for real-world scenarios

So, developers, rest easy, your job is safe (for now). AI is a tool, not a replacement. And honestly? That’s a good thing.

Mistakes Are Part of the Dev Environment: It's How You Handle Them That Counts

Samuel Mutemi — Wed, 07 May 2025 08:26:35 +0000

“To err is human, to debug divine.”

If you’ve been writing code for any stretch of time, you’ve probably stared at your screen wondering how something so small could break so much. Whether it’s a misplaced semicolon, an off-by-one error, or deploying to production with test credentials (guilty 😅), every developer—junior or senior—has stories of mistakes they’ve made.

Let’s face it: mistakes are not just part of the development process—they are the development process.

The Illusion of Perfection
There's a common myth, especially among beginners, that good developers don't make mistakes. That once you’re “senior,” you write perfect code the first time.

Spoiler: Nobody does.

In fact, senior developers often make bigger mistakes—but they catch and fix them faster because they’ve learned how to deal with them.

Why Mistakes Matter
Mistakes aren’t just inevitable—they’re useful. They reveal assumptions, force you to dig deeper into how systems work, and often lead to better solutions than you would have considered otherwise. Here’s what mistakes teach us:

Clarity: They expose where our understanding is shallow.
Resilience: They teach us how to handle failure calmly.
Humility: They remind us that there’s always more to learn.

A Culture of Blame vs. a Culture of Learning
One of the worst things a dev team can do is foster a culture where mistakes are punished. This leads to fear, cover-ups, and stagnation.

Great teams treat mistakes as data points. When something breaks, the question isn't “Who messed up?”—it’s “How can we make this less likely to happen again?”

That might mean:

Improving test coverage.
Setting up guardrails (like staging environments or automated linting).
Writing clearer documentation.
Doing post-mortems without finger-pointing.

Your Mistake Recovery Toolbox
Here are a few practical things every developer should keep in their mental toolkit when mistakes happen:

Stay Calm
Panicking never helps. Take a breath, grab a coffee, and remember: you are not your bug.
Reproduce It
If you can reproduce the bug, you can fix the bug. Step-by-step isolation is often the fastest way forward.
Use Version Control
If you’re not using Git (or similar), start now. Version control is the ultimate undo button.
Write Tests Around It
Write a test that fails because of the bug. Then fix it. This not only confirms the fix—it prevents regressions.
Learn and Share
Write about it, tweet it, blog it, bring it up in retros. Your mistake could prevent someone else’s.

Some Famous Dev Mistakes
GitHub once deleted part of their production database.

AWS once took down a major part of the internet with a typo.

Google once lost an entire day of email due to a bad config.

These are massive companies with brilliant engineers. Mistakes still happen. What sets them apart is how they respond.

Final Thoughts
Programming is a constant process of learning, breaking, fixing, and improving. Mistakes are not bugs in you—they’re features of the process.

So next time you bork the deployment or introduce a hard-to-find bug, don’t beat yourself up. Reflect, fix, learn—and maybe even laugh about it later.

Because at the end of the day, real growth in software engineering happens not in the absence of mistakes, but in how we respond to them.

Quantum Computing is About to Pwn Your Encryption – Time to Wake Up!

Samuel Mutemi — Mon, 05 May 2025 11:37:27 +0000

"Harvest Now, Decrypt Later" – The World’s Slowest Heist

Imagine a burglar breaking into your house, but instead of stealing your TV, they take a photocopy of your safe’s lock and say:

"I’ll crack this later when I invent lock-picking lasers."

That’s essentially what hackers are doing right now with "Harvest Now, Decrypt Later" (HNDL) attacks. They’re hoarding encrypted data (your emails, bank details, even those embarrassing selfies) and waiting for quantum computers to crack them open like a cheap piñata.

You: "But quantum computing isn’t ready yet!"

Hackers: "We can wait. Your data isn’t going anywhere."

Shor’s Algorithm: The Math Bully That Eats RSA for Breakfast

Current encryption relies on math problems so hard that even supercomputers cry trying to solve them. But quantum computers? They cheat.

RSA Encryption: "It’ll take a billion years to factor this large prime!"
Shor’s Algorithm: "Hold my qubit." 💥

What’s at risk?

✔ Your HTTPS connections (bye-bye, secure banking).

✔ Your SSH keys (hope you like unexpected server guests).

✔ Bitcoin & blockchain (unless they upgrade fast, quantum miners will be the new crypto whales).

Grover’s Algorithm: The Unwanted Gym Bro of Encryption

While Shor’s algorithm destroys RSA & ECC, Grover’s algorithm is more of a persistent annoyance to symmetric encryption like AES:

AES-256? Still strong, but now with only AES-128-level security.
SHA-256? Collision attacks just got way easier.

Translation: Your encryption just lost half its gains. Time to hit the quantum-resistant crypto gym. 💪

Post-Quantum Cryptography: The Superhero We Need (But Don’t Deserve)

NIST has been working on quantum-proof algorithms, because apparently, we can’t just unplug the quantum computers and call it a day. Here’s the new lineup:

1. CRYSTALS-Kyber – The New RSA (But Fancier)

Good for: Key exchanges (so quantum hackers can’t eavesdrop).
Bad for: People who miss the good ol’ days of RSA (which, let’s be honest, were never that good).

2. CRYSTALS-Dilithium – Like ECDSA, But Won’t Die in 5 Years

Replaces: Digital signatures (so your GitHub commits stay legit).
Bonus: Sounds like a Power Rangers weapon. "Go go Dilithium Signatures!"

3. SPHINCS+ – The Backup That Nobody Wants to Use

How it works: Hash-based, so even if quantum breaks everything else, this still stands.
Downside: Bigger, slower, like that one relative who still uses a flip phone.

What You Should Do Before Quantum Hackers Ruin Your Day

Stop pretending this isn’t happening.
- "Quantum computing is decades away!" – People who will be hacked in 5 years.
Check if your crypto is already obsolete.
- Still using RSA-2048? Start planning your migration yesterday.
Demand quantum-safe encryption in your tools.
- Ask your cloud provider: "Hey, when are you adding Kyber support?"
- If they say "What’s Kyber?" – panic.
Prepare for the inevitable "Oh crap" moment.
- Because someday, a headline will say: "Quantum computer just broke Bitcoin", and you don’t want to be scrambling then.

Final Thought: Don’t Be the Last One Using Broken Crypto

Quantum computing is coming, and it doesn’t care if your security team is ready. The good news? We have solutions now. The bad news? Most people won’t act until it’s too late.

Will you be the early adopter sipping coffee while others panic? Or the one rewriting your entire auth system at 3 AM after the quantum apocalypse hits?

The choice is yours.

"But I don’t even understand quantum mechanics!" – Don’t worry, neither do most quantum physicists. Just start learning post-quantum crypto today.* 😉

Passwords Are a Ticking Timebomb—And These Breaches Prove It

Samuel Mutemi — Mon, 05 May 2025 11:27:16 +0000

Passwords have been the default authentication method for decades, but their flaws are more dangerous than ever. High-profile breaches and cyberattacks consistently expose how fragile password-based security really is. Below, we’ll examine two major case studies that highlight why passwords are failing us—and what we should use instead.

Case Study 1: The LinkedIn Breach (2012, 2016, and Beyond)

What Happened?

In 2012, LinkedIn suffered a breach that exposed 164 million email and password combinations.
Hackers didn’t just steal passwords—they cracked weak hashes (SHA-1 without salting), revealing plaintext credentials.
In 2016, another batch of 117 million passwords from the same breach resurfaced on the dark web.

Why Passwords Failed

Weak Hashing: LinkedIn stored passwords with weak encryption, making them easy to crack.
Password Reuse: Many users reused the same passwords across multiple sites, leading to credential stuffing attacks on other platforms.
Delayed Impact: Even years later, these passwords were still being used in attacks.

The Aftermath

LinkedIn forced password resets, but the damage was done.
Many users who reused passwords saw their other accounts (email, banking, social media) compromised.

How It Could Have Been Prevented

✅ Passwordless Auth: Passkeys or biometric logins would have made stolen credentials useless.

✅ Better Hashing: Modern algorithms (bcrypt, Argon2) could have slowed down cracking.

✅ MFA Enforcement: Even with leaked passwords, MFA would have blocked unauthorized access.

Case Study 2: The Colonial Pipeline Ransomware Attack (2021)

What Happened?

Hackers breached Colonial Pipeline, a major U.S. fuel supplier, causing a six-day shutdown and fuel shortages across the East Coast.
The attack started with a single compromised password to an old VPN account that lacked multi-factor authentication (MFA).

Why Passwords Failed

No MFA: A single weak password was all hackers needed to infiltrate the network.
Legacy Account Exposure: The VPN account was no longer in use but wasn’t deactivated.
Password Reuse: The password may have been reused or easily guessed (though exact details weren’t disclosed).

The Aftermath

Colonial Pipeline paid $4.4 million in Bitcoin as ransom.
The U.S. government recovered some funds, but the incident highlighted how passwords alone are insufficient for critical infrastructure.

How It Could Have Been Prevented

✅ Passwordless VPN Access: A hardware security key (YubiKey) or certificate-based auth would have prevented the breach.

✅ Strict MFA Policies: Even a simple TOTP (Google Authenticator) check would have stopped the attack.

✅ Automated Account Deactivation: Unused accounts should be disabled automatically.

The Way Forward: Killing the Password for Good

These cases prove that passwords alone are a security liability. Here’s what we should adopt instead:

1. Passkeys (FIDO2 / WebAuthn)

No passwords, just biometrics or hardware keys.
Immune to phishing & credential stuffing.

2. Universal MFA Adoption

Mandate MFA everywhere, especially for remote access and admin accounts.

3. Better Credential Management

Password managers for generating and storing strong passwords (if still needed).
Regular audits to deactivate unused accounts.

Final Thoughts

Passwords are outdated, insecure, and costly. The LinkedIn and Colonial Pipeline breaches show just how dangerous reliance on passwords can be. The sooner we move to passwordless authentication, the safer we’ll all be.

Are you still using passwords, or have you switched to passkeys/MFA? Share your experience below! 🔐

Stop Using Keycloak Like a Basic Auth Server—Try These Features

Samuel Mutemi — Tue, 29 Apr 2025 14:20:02 +0000

Keycloak is widely recognized as a powerful open-source Identity and Access Management (IAM) solution, offering SSO, OAuth, and user federation out of the box. But beyond the basics, Keycloak has several underrated features that can significantly enhance security, customization, and usability.

In this post, we’ll explore some of these lesser-known Keycloak features that can save you time, improve security, and unlock new capabilities.

1. Fine-Grained Admin Permissions (Client Policies & Admin Fine-Grained AuthZ)

Most Keycloak admins know about realm roles, but did you know you can delegate admin permissions with surgical precision?

Client Policies: Define rules for client registrations (e.g., enforce HTTPS redirect URIs).
Fine-Grained Admin Permissions: Restrict admin console access (e.g., allow a user to manage only specific clients).

🔹 Use Case: Securely delegate administration without giving full realm access.

2. Dynamic Client Registration (DCR) & Initial Access Tokens

Instead of manually configuring every client, Keycloak supports dynamic client registration via REST API.

Initial Access Tokens: Generate short-lived tokens to allow self-service client registration.
Client Registration Policies: Enforce constraints (e.g., allowed redirect URIs).

🔹 Use Case: SaaS platforms where tenants need to onboard their own apps securely.

3. WebAuthn & Passwordless Authentication

While OTP is common, Keycloak supports FIDO2/WebAuthn for phishing-resistant logins.

Biometric & Security Key Auth: Users can log in via Face ID, Touch ID, or YubiKey.
Conditional Policies: Require WebAuthn only for high-risk actions.

🔹 Use Case: Financial apps or internal systems needing stronger MFA.

4. Token Exchange (Impersonation & Delegation)

Keycloak allows token exchange, letting one token be swapped for another under controlled conditions.

Impersonation: Admins can act on behalf of users (for debugging).
Delegation: A service can obtain a token for another service securely.

🔹 Use Case: Microservices architectures where services need to call each other.

5. Custom User Attributes & Declarative User Profiles

Keycloak supports custom user metadata, but with Declarative User Profiles (DUP), you can enforce validation.

Define Required Fields: Mandate certain attributes at registration.
Validation Rules: Enforce email formats, phone numbers, etc.

🔹 Use Case: Compliance-heavy industries needing structured user data.

6. Event Listeners & Webhooks

Keycloak emits real-time events (logins, token exchanges, failures). You can:

Forward Events to Kafka/RabbitMQ: For SIEM integration.
Trigger Webhooks: Notify external systems on user actions.

🔹 Use Case: Fraud detection, audit logging, or real-time analytics.

7. Script-Based Authentication Flows

Instead of hardcoding auth logic, Keycloak supports JavaScript/Python scripts in auth flows.

Custom Validation: Check user attributes before login.
Conditional Steps: Skip MFA for trusted IPs.

🔹 Use Case: Adaptive authentication without custom code.

8. Lightweight Directory Services (LDAP) with Write-Back

Keycloak can sync with LDAP/Active Directory bidirectionally.

User Write-Back: Changes in Keycloak (e.g., password updates) sync back to LDAP.
On-Demand Sync: Avoid full syncs with lazy loading.

🔹 Use Case: Enterprises migrating from legacy LDAP systems.

9. Built-In Token Revocation & Offline Sessions

Revoking tokens is usually manual, but Keycloak offers:

Not-Before Policy: Invalidate all tokens issued before a certain time.
Offline Session Limits: Control how long refresh tokens last.

🔹 Use Case: Responding to breaches or employee offboarding.

10. Themeable Emails & Localization

Most Keycloak emails look generic, but you can:

Customize Templates: Branded password reset emails.
Multi-Language Support: Auto-send emails in the user’s language.

🔹 Use Case: Improving UX for global user bases.

Final Thoughts

Keycloak is far more than just an OAuth server—it’s a swiss-army knife for IAM. By leveraging these lesser-known features, you can:

✅ Enhance security (WebAuthn, token exchange)

✅ Automate workflows (dynamic client registration)

✅ Improve UX (custom emails, declarative profiles)

Have you used any of these features? Any hidden gems I missed? Let me know in the comments! 🚀

Further Reading:

Would you like a deep dive into any of these features? Let me know!

The Fast Lane to Software Failures: Why We Need a New Approach

Samuel Mutemi — Mon, 28 Apr 2025 12:00:48 +0000

In today’s tech world, the phrase "move fast and break things" is practically a badge of honor. It's like the Silicon Valley equivalent of "hold my beer"—and yet, much like that famous phrase, it often ends with something broken (and possibly on fire). The problem is, when you prioritize speed over quality, you end up with software that’s more “oops” than “awesome.”

At first, it seems tempting—ship quickly, get feedback fast, and iterate even faster. But here's the thing: just because you're sprinting doesn’t mean you’re not running straight into a wall. In fact, you're probably tripping over bugs, creating tech debt, and making a mess of your codebase that even your future self will regret. It’s like trying to build a house in a day: it might stand for a few hours, but good luck if a strong wind blows through.

What's worse? This mindset encourages a "fire-fighting" culture. Developers spend more time putting out bugs than actually building cool features. It's like being a chef who spends all day cleaning up spilled soup instead of cooking dinner—at some point, you just want to throw the ladle out the window.

The solution? Slow down a little. It’s not about being in a hurry, it’s about making sure you actually have something worth hurrying for. Let’s start building software that’s well-tested, well-architected, and doesn’t fall apart the second someone touches it. After all, if you keep speeding through the software lifecycle, you’ll eventually crash—and no one wants their product to be the tech equivalent of a fender bender.

So here’s a new mantra: "Build well, ship smart." Because the only thing worse than slow progress is having to redo everything later. Let’s not race to failure.

Why Keycloak is the Best Choice for Authentication in Modern Applications

Samuel Mutemi — Wed, 23 Apr 2025 14:51:44 +0000

Authentication is a critical component of any application, but building a secure, scalable, and flexible auth system from scratch is complex and time-consuming. That’s where Keycloak comes in—an open-source Identity and Access Management (IAM) solution that simplifies authentication while providing enterprise-grade security.

In this article, we’ll explore why Keycloak should be your go-to solution for handling authentication in your services.

🔑 1. Out-of-the-Box Authentication Features

Keycloak provides a rich set of built-in authentication mechanisms, including:

OAuth 2.0 & OpenID Connect (OIDC) – Industry-standard protocols for secure authentication.
Social Logins – Easily integrate with Google, GitHub, Facebook, and more.
SAML 2.0 Support – Ideal for enterprise single sign-on (SSO).
Multi-Factor Authentication (MFA) – Supports TOTP, WebAuthn, and SMS-based 2FA.

Instead of reinventing the wheel, Keycloak lets you enable these features with minimal configuration.

🚀 2. Single Sign-On (SSO) Made Easy

Keycloak acts as a centralised identity provider, allowing users to log in once and access multiple applications seamlessly. This is particularly useful for:

Microservices architectures (where each service shouldn’t handle auth individually).
Internal company portals (employees access multiple tools with one login).
Customer-facing SaaS platforms (users move between apps without re-authenticating).

🛡️ 3. Security Best Practices by Default

Security is hard, and mistakes in auth implementations can lead to breaches. Keycloak enforces security best practices, including:

Brute-force protection – Automatically throttles repeated login attempts.
Password policies – Enforces complexity rules and expiration.
Secure token management – JWTs with proper signing & encryption.
Session management – Detects and handles idle/inactive sessions.

By using Keycloak, you inherit these protections without extra effort.

⚙️ 4. Extensible & Developer-Friendly

Keycloak is highly customizable:

Themes – Brand your login pages to match your application.
Custom user attributes & roles – Fine-grained access control.
REST API & Admin CLI – Automate user management and configuration.
SPI (Service Provider Interface) – Extend Keycloak with custom authentication flows.

Developers can integrate Keycloak with almost any stack—Node.js, Spring Boot, Python, React, Angular, and more.

🌍 5. Self-Hosted or Cloud-Native

Keycloak gives you deployment flexibility:

Run it on-premises – Full control over your identity data.
Deploy in Kubernetes – Scalable and resilient in cloud environments.
Use a managed service – Providers like Red Hat SSO offer hosted Keycloak.

Unlike proprietary SaaS auth solutions (Auth0, Okta), Keycloak avoids vendor lock-in and can be self-managed for cost efficiency.

📊 6. Cost-Effective (Open Source & Free)

Keycloak is 100% free and open-source (Apache License 2.0). While paid alternatives charge per user or feature, Keycloak provides enterprise-grade IAM at no cost.

For businesses with budget constraints, this is a huge advantage.

� 7. Active Community & Enterprise Support

Keycloak is backed by a strong open-source community and commercial support from Red Hat. Regular updates, security patches, and a wealth of documentation make it a reliable choice.

🚀 Getting Started with Keycloak

Deploying Keycloak is straightforward:

Option 1: Docker Quickstart

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.2 start-dev

Option 2: Kubernetes (Helm)

helm repo add bitnami https://charts.bitnami.com/bitnami  
helm install keycloak bitnami/keycloak

Once deployed, configure realms, clients, and identity providers via the Admin Console (http://localhost:8080/admin).

Conclusion

Keycloak eliminates the complexity of authentication while providing security, scalability, and flexibility. Whether you're building a small app or a large enterprise system, Keycloak is a robust, cost-effective solution that saves development time and reduces risk.

🔗 Learn more: Keycloak Official Documentation

Have you used Keycloak in your projects? Share your experiences in the comments! 🚀

Setting Up Keycloak as an OAuth Server

Samuel Mutemi — Wed, 28 Aug 2024 08:38:45 +0000

Keycloak is an open-source identity and access management solution designed for modern applications and services. It provides a robust platform for user authentication, authorization, and SSO (Single Sign-On) with support for various identity providers. Keycloak can be easily configured as an OAuth 2.0 server, enabling applications to securely delegate authentication to a centralized identity provider. This article walks you through setting up Keycloak as an OAuth server.

Prerequisites

Keycloak Installed: Ensure that Keycloak is installed on your server or locally on your machine. You can download the latest version from the Keycloak website.
Java and Database Setup: Keycloak requires a Java runtime environment and a database to store user data. Ensure both are properly configured.
Basic Understanding of OAuth 2.0: Familiarity with OAuth 2.0 concepts will help you understand the setup process better.

Step 1: Install and Start Keycloak

Download Keycloak: If you haven’t installed Keycloak, download the latest version from the official website.
Extract and Configure: Extract the downloaded archive and configure Keycloak by setting up the database and other environment-specific settings.
Start Keycloak: Start Keycloak using the command below:
```
./bin/standalone.sh
```
By default, Keycloak will start on http://localhost:8080.

Step 2: Access the Keycloak Admin Console

Login: Access the Keycloak Admin Console by navigating to http://localhost:8080/auth in your browser. You will be prompted to create an initial admin user.
Create a Realm: Realms in Keycloak are isolated environments that allow you to manage a set of users, credentials, roles, and groups. Create a new realm by clicking on the “Add Realm” button.

Step 3: Configure OAuth Clients

Create a Client: In the realm settings, navigate to the Clients section and click on Create. Enter a unique Client ID (e.g., my-app) and choose OpenID Connect as the protocol.
Configure Redirect URIs: Enter valid redirect URIs where Keycloak can redirect after successful authentication. These URIs must match the redirect URIs configured in your application.
Set Client Settings: Configure additional settings such as Access Type (choose confidential for server-side apps), Client Authentication, and Authorization Settings as per your application's requirements.
Generate Credentials: After saving the client, Keycloak will generate a Client Secret or allow you to create client certificates if using mutual TLS. Save this secret, as it will be needed for your application to communicate with Keycloak.

Step 4: Set Up User Authentication

Create Users: Navigate to the Users section in the Admin Console and create users that will be authenticating via OAuth.
Set Password Policies: Configure password policies, MFA (Multi-Factor Authentication), and other security settings in the Authentication tab.

Step 5: Integrate with Your Application

Install OAuth Libraries: Depending on the technology stack of your application (e.g., Java, Node.js, Python), install the appropriate OAuth libraries (e.g., spring-security-oauth2 for Spring Boot).
Configure OAuth in Your App: In your application, configure the OAuth client with the following details:
- Client ID and Client Secret generated in Keycloak.
- Authorization Endpoint: Typically http://localhost:8080/auth/realms/{realm-name}/protocol/openid-connect/auth
- Token Endpoint: http://localhost:8080/auth/realms/{realm-name}/protocol/openid-connect/token
- User Info Endpoint: http://localhost:8080/auth/realms/{realm-name}/protocol/openid-connect/userinfo
Handle Tokens: Implement logic to handle OAuth tokens (Access Token, Refresh Token) securely in your application.

Step 6: Test the Integration

Initiate OAuth Flow: Trigger the OAuth flow from your application (e.g., by clicking on a login button) and ensure that Keycloak's login page is displayed.
Authenticate and Authorize: Log in with a Keycloak user and authorize the application to access the requested scopes.
Receive Tokens: Upon successful authentication, your application should receive the OAuth tokens, which can be used for securing API calls or accessing user information.

Conclusion

Setting up Keycloak as an OAuth server involves a series of steps, from configuring realms and clients to integrating with your application. Keycloak’s flexibility allows it to support various use cases, from simple SSO setups to complex identity federation scenarios. With OAuth, your applications can securely delegate authentication, ensuring that user credentials are managed centrally and securely.

Keycloak’s rich feature set and support for standards like OAuth 2.0 make it an excellent choice for modern applications requiring secure identity management.

Running Keycloak on Docker for the First Time

Samuel Mutemi — Mon, 19 Aug 2024 17:26:52 +0000

Introduction

Keycloak is an open-source identity and access management solution designed for modern applications and services. It offers features like single sign-on (SSO), social login, and user federation, making it a powerful tool for managing user identities across various platforms. Running Keycloak on Docker allows you to easily deploy and manage your identity management solution in a containerized environment, ensuring portability and scalability.

I came across Keycloak when I was working on a personal project and wondered how many times I had written authentication logic over the years. I concluded there had to be a solution that I could use that cross-cuts all basic authentication needs I might have(because looking back, the difference between all the auth services I've written for different apps was small). This would allow me to get started quicker with new projects as I wouldn't have to think authentication as much. Also, an added advantage I realised was better security - keycloak is written with best practices in mind, and since it is maintained by the community, all I have to do is pull new updates as required.

In this guide, we’ll walk you through the steps to run Keycloak on Docker for the first time.

Prerequisites

Before you begin, ensure that you have the following installed on your machine:

Docker: Install Docker from the official Docker website.
Docker Compose (optional): While not strictly necessary, Docker Compose simplifies managing multi-container Docker applications.
Step 1: Pull the Keycloak Docker Image

The first step is to pull the official Keycloak Docker image from the Docker Hub. This image contains everything you need to run Keycloak.

Open your terminal and run the following command:

docker pull quay.io/keycloak/keycloak:latest

This command pulls the latest Keycloak image from the Quay.io repository.

Step 2: Running Keycloak as a Standalone Container

To run Keycloak as a standalone container, execute the following command:

docker run -d -p 8080:8080 --name keycloak \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin_password \
quay.io/keycloak/keycloak:latest start-dev

Let’s break down the command:

-d: Runs the container in detached mode (in the background).
-p 8080:8080: Maps port 8080 of the container to port 8080 on your host machine.
--name keycloak: Names the container "keycloak".
-e KEYCLOAK_ADMIN=admin: Sets the Keycloak admin username.
-e KEYCLOAK_ADMIN_PASSWORD=admin_password: Sets the Keycloak admin password.
quay.io/keycloak/keycloak:latest start-dev: Specifies the image and starts Keycloak in development mode.
Once the container starts, you can access Keycloak by navigating to http://localhost:8080 in your web browser. You’ll be prompted to log in using the admin credentials you specified in the command.

Step 3: Running Keycloak with Docker Compose (Optional)

If you prefer using Docker Compose to manage your containers, you can create a docker-compose.yml file for Keycloak:

yaml
version: '3'

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    ports:
      - "8080:8080"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin_password
    command:
      - start-dev

Save this file and run the following command to start Keycloak:

docker-compose up -d

This command will start Keycloak as a background service, making it easier to manage along with other services.

Step 4: Accessing the Keycloak Admin Console

With Keycloak up and running, you can now access the admin console. Open your web browser and navigate to http://localhost:8080. Log in using the admin credentials you set earlier.

Once logged in, you can start configuring realms, clients, users, and other Keycloak settings according to your needs.

Step 5: Stopping and Removing the Keycloak Container

To stop the Keycloak container, run:

docker stop keycloak

To remove the container, use:

docker rm keycloak

If you used Docker Compose, you can stop and remove the containers with:

docker-compose down

Conclusion

Running Keycloak on Docker is a straightforward process that allows you to quickly set up a robust identity and access management solution. With Docker's containerization, you can easily manage, scale, and deploy Keycloak across different environments. Whether you're running it as a standalone container or using Docker Compose for a more complex setup, Keycloak on Docker offers a flexible and powerful solution for your identity management needs.