Keycloak conference slide deck

Transcript

1. Keycloak, the Open Source Identity and Access Management

2. Authenticate and authorize users for services Login Request Verify token

   < Token > API Cloud Services

3. Keycloak is an Open Source Identity and Access Management Solution

   🎂 Initial commit 2013-07-02 🏆 CNCF incubating project April 2023 📜 Apache License, Version 2.0 ⭐ 34k GitHub stars

4. • OpenID Connect Protocol Implementation for the server • Services

   and database to store information about clients and identities • From Developers for Developers Soon after that: • Multi Factor authentication • Client libraries • SAML, LDAP, … Keycloak at the Beginning

5. Day 0: Getting started as a developer • Run a

   single container (inside or outside Kubernetes) or extract an archive • Works with Testcontainers • Configure using CLI, API, Web UI or export/import a realm using JSON for identical environments Makes sense already for a single application!

6. Running Keycloak as a developer docker run --name keycloak -p

   8080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=change_me \ quay.io/keycloak/keycloak:latest \ start-dev docker run --name keycloak_w_import -p 8080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=change_me \ -v /path/to/realm/data:/opt/keycloak/data/import \ quay.io/keycloak/keycloak:latest \ start-dev --import-realm

7. Day 1: Single-Sign-On is cool! • Users need to remember

   only one password • Authenticate only once per day • Add second factor for authentication for security • Theme the frontend to match your needs Makes sense already for a single application!

8. Make first contact with Keycloak

9. Enable Admins Manage Keycloak via web UI, REST and CLI

10. Enable Users Manage account details, password and second factor.

11. Day 2: Become flexible in your setup • Integrate LDAP

    and Kerberos • Brokerage to existing SAML services • Brokerage to existing OIDC services • Integrate existing custom stores Reuse the existing user infrastructure!

12. … and use other providers …

13. Day 3: Eliminate daily churn • User required actions •

    User password recovery (even when using LDAP) • Self-registration for users • User data self-management Resolve the need for calls and tickets!

14. The login screen can do a lot more!

15. New: Better security for humans and machines 🦎 Standard Token

    Exchange Exact and secure tokens with the right audience and scopes. 🚪 JWT Authorization Grant Authenticate locally, then use trust relationships. 🔑 2FA recovery codes, Passkeys, FAPI 2.0, DPoP, MCP Tightened security in all login flows. ⚙ Workflows Automate all stages of the user lifecycle management.

16. New: Automation and better tools for admins ⛱ Fine Grained

    Admin Permissions Delegate access to administer entities in the realm to resource owners. ♻ Secure communication, split-brain detection, rolling updates Making an administrator’s life simpler. 🔗 Federated Client Authentication Less friction to manage credentials of clients across the infrastructure.

17. Observe your IAM in action with 🔍 Traces to hunt

    errors and latencies Trace an incoming auth call to the database, LDAP and external IdPs. Fully Supported since Jan 2025. 🧾 Logs for detailed insights Originally for console, file and syslog. For OTel since Jan 2026. 📏 Metrics covering user and system activities Find out about logins per second, cache sizes, endpoint timings. Originally for Prometheus/OpenMetrics. For OTel since Jan 2026. 📈 Dashboards, ready to go with Grafana All relevant service level indicators on a single page.

18. Upcoming Features in Keycloak 26.6* * Due end of March,

    subject to change • JWT Authorization Grant supported • Federated Client Authentication supported • Organization Groups • Workflows supported • Rolling updates and graceful restarts • Better integration with Traefik, Envoy • Simplified and opinionated DB connection setup • New Keycloak test framework

19. Upcoming Features in Keycloak 26.7* * Due end of June,

    subject to change • SCIM support • Organization Roles • Continue the work around MCP • Better documentation for proxy configuration • …

20. Case Studies Hitachi Ltd. used Keycloak to make financial grade

    security easier OpenTalk achieves versatile and compliant user authentication with Keycloak BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak

21. Conferences & Events KeycloakCon + KubeCon Japan 🏠 Yokohama (JP)

    📅 2025-07-28…30 https://events.linuxfoundation.org/ KeyConf26 🏠 Prague (CZ) 📅 2026-10-08 https://keyconf.dev/ Meetup Keycloak Hour of Code 🏠 Online 📅 Every 1-2 months https://www.meetup.com/ keycloak-hour-of-code/

22. Sovereign Identities for Your Cloud Native Architecture With Keycloak Alexander

    Schwartz, IBM Sebastian Łaskawiec, Defense Unicorns 🏠 G102-103 📅 Wednesday March 25, 2026 11:45 - 12:15 CET When building and evolving your sovereign cloud-native architecture, identities bring together your applications, data and infrastructure and keep them secure. Join this talk to learn how to use strong authentication and leverage trust relationships across organizations. See our latest features on how to use automatically rotating Kubernetes service account tokens as client secrets, and gather insights with our unified OpenTelemetry setup.

23. Community Links CNCF Slack #keycloak #keycloak-dev https://slack.cncf.io/ Keycloak https://keycloak.org/ Keycloak

    Community Discourse Forum GitHub Discussion Mailing Lists https://www.keycloak.org/community Keycloak OAuth SIG #keycloak-oauth-sig https://github.com/keycloak/kc-sig-fapi