By sits in front of I mean that it's a completely separate web application rather than a framework, library or proxy that is somehow bundled with your application.
Whenever you want someone authenticated you redirect the user's browser to Keycloak. Keycloak will redirect the user's browser back to you once authentication has been completed. In the best case scenario you will find a library that integrates with your choice of web framework, provide configuration (i.e. the URL to Keycloak), and the library will do all the heavy lifting for you.
I found Keycloak as a product relatively easy to get started with. But I still don't think I fully understand the authentication landscape with its' many alternatives and their many security implications.
Whenever you want someone authenticated you redirect the user's browser to Keycloak. Keycloak will redirect the user's browser back to you once authentication has been completed. In the best case scenario you will find a library that integrates with your choice of web framework, provide configuration (i.e. the URL to Keycloak), and the library will do all the heavy lifting for you.
I found Keycloak as a product relatively easy to get started with. But I still don't think I fully understand the authentication landscape with its' many alternatives and their many security implications.