OAuth2/OIDC identity management — from Node.js to C
Keyrock is the official FIWARE Identity Management GE — providing OAuth 2.0 / OpenID Connect authentication, user/organization/application management, and RBAC. It integrates directly with Wilma and AuthZForce. Keycloak is not a FIWARE Generic Enabler — it's an external Java dependency. FIWARE 2.0 keeps Keyrock as the sole identity component, eliminating the 1.2–2.5 GB Keycloak/Java process entirely.
Current Keyrock is Node.js (~100–150 MB RAM). A C rewrite with fw-libs replaces the entire stack: fwHttp for the REST API, OpenSSL for JWT/OAuth2 and Argon2 password hashing, fwHash for sessions, and SQLite for user/role storage. Deployments that need enterprise SSO features (SAML, LDAP federation, social login) can place any external IdP in front.
| Metric | Keyrock (Node.js) | Keyrock 2.0 (C + fw-libs) |
|---|---|---|
| Token grants/sec | ~5,000–10,000 | ~50,000–100,000 |
| RAM | ~100–150 MB | ~3–10 MB |
| Startup | ~1–2s | <10ms |
Estimated effort: 4–6 weeks with Claude Max. OAuth2/OIDC flows, JWT signing (OpenSSL), user/organization/application CRUD, role/permission management, session handling, OIDC discovery endpoints.
| Component | Work | Estimate |
|---|---|---|
| REST API | fwHttp server for user/org/app/role CRUD, OIDC discovery endpoints | 1–2 weeks |
| OAuth2/OIDC | Authorization code, client credentials, password grant, refresh tokens, OIDC ID tokens | 1–2 weeks |
| JWT & Crypto | OpenSSL for JWT signing/verification, Argon2 password hashing | 3–4 days |
| Storage | SQLite for users, organizations, applications, roles, permissions | 3–4 days |
| Session Management | fwHash-based session store with TTL, thread-safe access | 2–3 days |
| Testing | Unit tests, OAuth2 flow integration tests, load testing | 1 week |
| Total | 4–6 weeks |