and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning
single container (inside or outside Kubernetes) or extract an archive • Works with Testcontainers • Configure using CLI, API, Web UI or export/import a realm using JSON for identical environments Makes sense already for a single application!
only one password • Authenticate only once per day • Add second factor for authentication for security • Theme the frontend to match your needs Makes sense already for a single application!
and Kerberos • Brokerage to existing SAML services • Brokerage to existing OIDC services • Integrate existing custom stores Reuse the existing user infrastructure!
Exchange Exact and secure tokens with the right audience and scopes. 🚪 JWT Authorization Grant Authenticate locally, then use trust relationships. 🔑 2FA recovery codes, Passkeys, FAPI 2.0, DPoP, MCP Tightened security in all login flows. ⚙ Workflows Automate all stages of the user lifecycle management.
Admin Permissions Delegate access to administer entities in the realm to resource owners. ♻ Secure communication, split-brain detection, rolling updates Making an administrator’s life simpler. 🔗 Federated Client Authentication Less friction to manage credentials of clients across the infrastructure.
errors and latencies Trace an incoming auth call to the database, LDAP and external IdPs. Fully Supported since Jan 2025. 🧾 Logs for detailed insights Originally for console, file and syslog. For OTel since Jan 2026. 📏 Metrics covering user and system activities Find out about logins per second, cache sizes, endpoint timings. Originally for Prometheus/OpenMetrics. For OTel since Jan 2026. 📈 Dashboards, ready to go with Grafana All relevant service level indicators on a single page.
🗂 SCIM, Organization Groups, delegating Organization administration Integrating with other IdPs and pre-provision users 🔒 Post-Quantum Cryptography Support it for TLS connections, tokens and credentials 🔌 Client v2 API and Custom Resources for Clients Declarative provisioning of clients * subject to change
subject to change • JWT Authorization Grant supported • Federated Client Authentication supported • Organization Groups • Workflows supported • Rolling updates and graceful restarts • Better integration with Traefik, Envoy • Simplified and opinionated DB connection setup • New Keycloak test framework
security easier OpenTalk achieves versatile and compliant user authentication with Keycloak BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak
Baskaran, Markus Nagel 🏠 DevZone Theater 📅 Wednesday, May 13, 3:45 PM - 4:05 PM AI agents have evolved from passive chat assistants to autonomous digital users, performing critical tasks across enterprise systems. It is imperative that their interactions are authenticated, authorized, and continuously monitored—just like any human user—to maintain security and compliance. This session is for Platform Architects, Security Engineers and DevOps leaders grappling with security and next-gen AI apps.
Schwartz 🏠 Expo Hall - Discovery Theater 4 📅 Wednesday, May 13 4:20 PM - 4:40 PM Many organizations use the Red Hat build of Keycloak to protect their application workloads—but when static credentials like client secrets are used to support integration between components, sensitive assets may be exposed. A new framework available in the Red Hat build of Keycloak authenticates workloads using SPIFFE (Secure Production Identity Framework for Everyone) identities eliminating the security weaknesses associated with using long-lived credentials.
Community Discourse Forum GitHub Discussion Mailing Lists https://www.keycloak.org/community Keycloak OAuth SIG #keycloak-oauth-sig https://github.com/keycloak/kc-sig-fapi
ahus1
aarron
codingconduct
sugarenia
marketingsoph
ryanjones
eitanlees
tessaabrams
raygrieselhuber
quramy
inesmontani
livdayseo
