Red Hat


Frequently Asked Questions about merge of PicketLink and Keycloak projects.

Q) What is really happening?

A) Several parts of PicketLink will get merged/forked into Keycloak project and work on any new features will happen there.

Q) What happens to PicketLink project?

A) Project remains where it is. Website, JIRA, sources on github, downloads, documentation, mailing lists and etc. will still be available as they currently are.

Q) Can I still use PicketLink?

A) Yes. Definitely!

Q) What happens to Red Hat Middleware products that rely on PicketLink ?

A) There is no immediate impact to Red Hat products.

Q) Can I expect new features being developed for PicketLink?

A) Rather not from Red Hat side. Although no one will block community contributions.

Q) Can I expect new releases of PicketLink in the future?

A) It depends on the community. Project developers associated with Red Hat will focus mainly on developing new features in Keycloak project. Although if there are PRs coming from the community additional releases may still happen.

Q) What about Federation / SAML capabilities provided by PicketLink?.

A) Most of SAML related codebase will get forked/merged into Keycloak although with some additional polishing and refactorings. Scope of this work will be discussed in public on the project mailing list. Our intention for PicketLink Federation / SAML part is to provide same set of capabilities in Keycloak in the long run. We’ll also try to make migration from PicketLink Federation into Keycloak based SAML IdP/SP easier with additional documentation and guidance.

Q) What happens with Social APIs provided by PicketLink?

A) Keycloak project is already providing much greater capabilities regarding Social Login then PicketLink.

Q) What happens with PicketLink Java EE related capabilities

A) Based on experience gained with PicketLink project we’ll be introducing Keycloak SDK component including libraries for easier integration with Java EE applications

Q) What happens with PicketLink IDM?

A) Project Keycloak is already providing out of the box IDM capabilities exposed using REST endpoints. Some parts of it - like LDAP integration - are currently based on PicketLink codebase. We’ll be integrating both efforts although exact scope of this work is not clear yet. It will be discussed in public on project mailing list. It would be helpful if you share your view on key IDM capabilities from PicketLink you care about most.

Q) What happens with XXXX feature from PicketLink. Will it get merged into or get covered by Keycloak? Will Keycloak provide 100% feature parity with PicketLink?

A) We are still discussing which parts should be incorporated into Keycloak , in which way and in which order or priority. Keycloak has slightly different angle focusing on providing rich out of the box security server experience instead of very flexible framework capabilities. We don’t want to compromise this key strength of the project. Some parts from PicketLink may not fit “as is” in Keycloak and may require additional refactorings or redesign. Some features from PicketLink are already covered by Keycloak - although sometimes in slightly different way. Please let us know in which parts or features are you especially interested. We’ll discuss with you and take your opinion into account!

Q) Could you please do XXX from PicketLink differently in Keycloak?

A) Let us know on the mailing list. We would really like to hear your feedback!

Q) Could you keep ZZZ from PicketLink in Keycloak?

A) Again - please let us know and we’ll discuss. And btw. we are open for contributions!

Q) Will Keyclaok provide XYZ in the future?

A) Please ask on the mailing list. Our roadmap is driven by demand from the community. Really!

Q) Why merging PicketLink into Keycloak and not vice versa?

A) Any solution has several pros and cons. We strongly believe that the “out of the box security solution” nature of Keycloak is what will fit majority of our users best in the future. Additionally PicketLink in it’s current form is primarily focused on JEE applications. Keycloak is providing more flexibility with rich set of adapters for many different containers. We already have contributions for better node.js integration...

Q) Am I forced to migrate to Keycloak? Should I really?

A) Not forced for sure… although we strongly suggest that you give it a try. If you rely on PicketLink Federation then you should seriously consider migration to Keycloak as this is the place where new features for it will get developed. Keycloak is focused on delivering security related features out of the box to easily integrate or embed them into your application. At the moment it is not aiming to provide rich security framework to implement same capabilities within application on your own. Although we aim to make Keycloak enough pluggable or configurable to suit most needs. If you have any needs that make you want to remain on PicketLink - please let us know on the mailing list.

Q) Can I keep using PicketLink within my application for now but still start leveraging Keycloak?

A) Great question! PicketLink allows you to extend its API in order to authenticate and consume bearer tokens issued by a third-party identity provider such as KeyCloak. In this case, you can use KeyCloak to authenticate users and still use PicketLink to perform authorization decisions based on the information from these tokens.

Q) Could I get engaged or help you any how?

A) Definitely. Please let us know using the mailing list what are you interested in.

back to top