OpenTalk

OpenTalk achieves versatile and compliant user authentication with Keycloak

Challenge

OpenTalk, a videoconferencing solution, needed a secure and scalable Identity and Access Management (IAM) solution to authenticate users across various services while maintaining strict security and compliance standards. Given OpenTalk’s focus on user sovereignty and data privacy, the solution had to meet regulatory requirements, including GDPR and requirements stemming from BSI CC EAL 4 certification.

Before adopting Keycloak, OpenTalk faced several challenges:

• Fragmented authentication & security Features – OpenTalk required support for multiple authentication methods, including OAuth, OIDC, x509 (passwordless authentication), and multi-factor authentication (2FA). Implementing each of these would have been complex and hard to maintain.
• User self-Service & management – to improve user experience and  administrative overhead, OpenTalk needed a self-service portal where users could register, update profiles, reset passwords, and manage authentication settings without IT intervention.
• Scalability & reliability – authentication is a mission-critical component of OpenTalk’s platform. A failure in IAM would mean users being locked out of essential communication tools. The solution had to ensure high availability, redundancy, and user experience at scale.
• Granular role & access Control – OpenTalk needed a robust role-based access control (RBAC) system that would allow fine-grained management of user permissions, group assignments, and access policies.
• Regulatory compliance & data sovereignty – as a European company, OpenTalk had to comply with strict data protection laws and ensure that customers could deploy IAM on-premises, giving them full control over sensitive authentication data.

Without a unified IAM solution, OpenTalk faced challenges with inconsistent authentication workflows, security gaps, and growing administrative overhead. To address these issues, the company needed an open-source, flexible, and secure IAM platform that could simplify authentication, empower users with self-service options, and ensure full compliance with regulatory requirements—all while integrating with its existing infrastructure.

Solution

After careful evaluation, OpenTalk chose Keycloak as their IAM solution for several compelling reasons:

Keycloak supports all common authentication sources, making it highly integrable with existing systems. The platform’s robust OIDC and OAuth 2 capabilities were decisive factors in the selection process. At the time of implementation, OpenTalk recognized that Keycloak was gaining significant market traction, which would facilitate easier federation in the future.

The customizability of Keycloak was another important consideration, allowing both OpenTalk’s product identity and customer identities to be incorporated seamlessly.

Integration into OpenTalk’s architecture was accomplished through multiple clients for both frontend and backend services. This approach incorporates client secrets to secure backend services and complementary service users that determine the scope of services. No user action can be performed without a valid OIDC token, with implementation based on OIDC and OAuth 2 standards.

Minimal customization was required—OpenTalk simply created a template for their specific needs while using Keycloak as provided by the project.

Single Sign-On (SSO) operates in practice through several scenarios:

1. OpenTalk initially introduces Keycloak into the customer environment, used first for OpenTalk services. Over time, customers connect additional services.
2. Customers who already use Keycloak add OpenTalk as another application to their existing SSO setup.
3. Based on a workstation login, often combined with x509 certificates, all applications including OpenTalk are authenticated via OIDC and Keycloak.

OpenTalk employs all available security mechanisms, including OAuth 2, OpenID Connect, and multi-factor authentication. The solution integrates with other open source technologies within the OpenTalk platform, such as real-time media transfer based on Livekit, real-time media processing, and additional tools for PDF creation or persistent storage via an S3 interface.

To ensure high availability and scalability, OpenTalk implemented clusters in various configurations, from simple active-passive setups to clusters with more than three nodes, geographically distributed for redundancy.

Impact

Keycloak provides OpenTalk and its users with simple authentication featuring all desired security mechanisms and necessary self-service tools (registration, password reset, email verification).

From a support perspective, authentication-related issues have been minimized to trivial errors such as incorrect usernames or email addresses. From an administrative standpoint, Keycloak has facilitated easier role and rights assignment and better control over user sessions.

A significant benefit of Keycloak is that it is deployable on-premises, giving customers full control over all data—a critical factor for digital sovereignty. Additionally, OpenTalk has saved considerable development resources by not having to implement all these authentication and user management features themselves.