KEYCLOAK DevDay 2025

Keycloak delivers multiple updates every year. To benefit from new features, and to stay up to date with the latest security fixes, you need to upgrade. At the same time an upgrade might bring breaking changes and can lead to downtimes. So how should you approach this?

In this talk you'll learn how to upgrade with confidence in a timely manner and with less effort.

After a short recap of the latest Keycloak features, this talk shows how to navigate the release schedule of Keycloak and explains how preview and deprecated features work. It also shows how to prepare for the next upgrade using the resources provided by the Keycloak project, and what additional measures you should take in your deployment and test pipelines to smoothen the upgrade process. Finally, it will detail how you provide feedback to the Keycloak project ahead of an upcoming release.

The talk shows the integration between Keycloak and OpenFGA for Fine-Grained Authorization based on ReBAC. Both platforms are integrated with a custom extension where the authorization model is synchronized. As the PEP (Policy Enforcement Point), I added an identity-aware API gateway (Apache APISIX) to enforce authorization and decouple it from the backend. The gateway uses a custom plugin that supports Relationship-Based Access Control (ReBAC) policies. Based on this approach, the goal was to implement Policy as Code (PaC), decouple authorization logic, and offer Low-Code Authorization.

An in-depth exploration of Keycloakify (https://keycloakify.dev): what it is, its key features, and how to get started with it.

Join us to discover how our new npm packages are transforming Keycloak customization. Learn how to rapidly build stunning and functional account and admin consoles using our pre-built React components based on PatternFly. We'll walk you through the core packages, demonstrate the quickstart tool, and share real-world examples of how these components can be used to create exceptional user experiences.

In the evolving realm of Identity and Access Management (IAM), only the most skilled (event) sorcerers can harness the true power of "the Keycloak".
Continue the epic journey from last years DevDay session "IAM Doomsday Prepper: Surviving the Apocalypse with Keycloak" and delve into the art of dynamic, replayable configuration through the power of event sourcing.
Discover how to extend static configurations with sets of dynamic event driven configuration, making your IAM projects resilient against change and highly adaptable. Learn the secrets of coding, versioning, and replaying configurations, ensuring your Keycloak setup is robust, future-proof and, most of all, dynamic.
Join us for a session that blends technical mastery with the lore of IAM, equipping you with the knowledge to wield dynamic configuration like a true sorcerer. By the end, your Keycloak projects will be fortified, ready to face any IAM challenge ahead.

As digital threats continuously evolve, traditional authentication methods often fall short and are insufficient in today's dynamic security landscape. It needs to adapt to different risk levels and ever-changing contexts, such as user location, device, and behavior, to ensure a secure and user-friendly experience.
This presentation introduces the importance of adaptive authentication within Keycloak, showcasing how modern techniques combined with machine learning can transform identity and access management.
This allows server administrators to detect anomalies and respond to emerging threats more effectively, ensuring that sensitive resources are protected. We provide step-by-step guidance and a demo on configuring and deploying these techniques in your Keycloak environment.

We run Keycloak in truly cloud native fashion: GitOps-Deployment to a Kubernetes Cluster (with Istio Service Mesh), Zero Downtime Upgrades even during peak usage times (~1200 Req/s with ~20 Mio users), extensive custom metrics and alerts, file-based realm configuration.
In this talk I will deep dive into how we do it, what it took to get there and why we believe it was worth it and even try to push some of it upstream.

While comprehensive, the Keycloak Admin UI can be intimidating and hard to approach as a beginner. We present how we used a user and task focused design to create a new admin experience targeted at B2B SaaS companies. Our use-case driven methodology allowed us to massively reduce complexity and time to achieve the most common configuration and management goals. Additionally, we peek under the covers to show how we built it, along with existing and new extensions to make it possible.

As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner.
This talk introduces the Shared Signals Framework and explains how it enhances security and operational efficiency in modern identity ecosystems. We'll explore how SSF can be supported in Keycloak to enable real-time event-driven communication between providers and relying parties. Attendees will learn how Keycloak can help to detect and mitigate threats, and improve overall system security with SSF.

As platform developers, we're constantly challenged to build systems that are secure, scalable, and ready for anything. But how do you maintain robust security without sacrificing flexibility? Enter OAuth 2.0 Token Exchange in Keycloak — a powerful tool that's transforming the way we manage identity and access across complex architectures.
In this session, we'll explore how to use Keycloak's token exchange capabilities to tackle the toughest problems in platform development: securing microservice communications, handling dynamic authorization across distributed systems, and enabling seamless Single Sign-On across multiple domains. We'll dive deep into real-world use cases, share expert tips on configuring Keycloak for advanced token exchange scenarios, and reveal how you can leverage these capabilities to build platforms that are not just secure, but also agile and responsive to change.
Whether you're building cloud-native apps, orchestrating microservices, or securing APIs, this talk will provide the practical knowledge you need to harness the full power of OAuth 2.0 Token Exchange with Keycloak. Don't miss your chance to redefine your platform's identity strategy and keep your systems ahead of the curve!

Keycloak extensions are often required to interact with the APIs of other systems, e.g., for the migration of customers from CRM systems to Keycloak users or for progressive profiling. While Keycloak's potential for such interactions is an important business requirement, it also calls for integration testing and thus makes extension testing more challenging: How to set up and maintain repeatable testing environments? How to ensure continued availability of such environments and still keep the maintenance effort low? How to mock other systems for which only their APIs and access to their production environments is known, but that do not provide any support for testing interactions with external parties? The talk goes into these issues based on experiences with the development of a real-world, non-trivial Keycloak extension for user migration. Specifically, the talk presents (i) ingredients to set up repeatable integration testing environments for Keycloak extensions with the Testcontainers framework; (ii) the automation of such setups so that local testing becomes possible; and (iii) Testcontainers Modules for flexible API mocking, and verifying custom scopes and claims in OIDC tokens. To this end, the talk focuses on a stripped down use case from the real-world Keycloak extension, in which a users logs into another system by means of a dedicated login form whose authenticator checks the user's credentials with the other system and in case of success creates a corresponding Keycloak user ("implicit user migration").

Supporting security specifications (standards) is important for Keycloak especially if we use Keycloak in our services and Keycloak have supported many security specifications (standards). In a first of this talk Takashi describes the meaning of supporting a security specification and propose a level of assurance of conformity with specifications. Takashi also tells which security specifications Keycloak supported. In a last half of this talk, Takashi picks up one specification among them: OpenID for Verifiable Credentials (OID4VCI). In Europe, interest in De-centralized Identity (DID) and Self-sovereign identity (SSI) are increasing as the European Commission released "The European Digital Identity Wallet Architecture and Reference Framework" for eIDAS 2.0. The latest Keycloak supported an experimental feature OpenID for Verifiable Credential Issuance (OID4VCI) for this emerging paradigm of identity by keycloak's community like OAuth SIG. Takashi describes the latest updates about OID4VCI support and describes how to use Keycloak to issue a Verifiable Credential in detail.

Keeping a complex Keycloak configuration secure is no easy feat. Configuration drift and unintended changes can turn what was once a secure configuration into one that is wide open to attacks - and taking stock of a configuration that has been created over multiple years of operation can be a daunting task. No matter if you are a administrating your own Keycloak or called in to perform a security audit, automation can be essential in ensuring you can quickly find and fix configuration issues, and detect new ones when they show up. We developed kcwarden, an Open Source tool that assists in finding common security issues and establishing custom guardrails that can alert you about dangerous configuration changes specific to your environment. In this talk, I will present how kcwarden can be used in your workflows, and I would love to get suggestions for the future directions of the tool from the community

Over recent years, the threat landscape for highly targeted organizations has significantly evolved. When attackers fail to steal user credentials, they will pivot instead to stealing authentication proofs from users. OAuth, a widely adopted protocol, plays a crucial role in safeguarding against these threats. However, its effectiveness can be severely compromised by mis-implementations at both the application and authorization service levels. This presentation will cover the five most critical mistakes —""deadly sins""— committed by architects and developers when using Keycloak to implement SSO with OAuth. These errors can lead to the compromise of user sessions, making organizations vulnerable to attacks. Additionally, we will discuss current/upcoming improvements in the OAuth specification and implementation strategies that can mitigate these risks, and how Keycloak aligns with these practices.

This refers to a system that enables secure communication between services by utilizing OpenID Connect (OIDC) with Keycloak and x509 certificate-based mutual Transport Layer Security (mTLS). This approach not only ensures robust S2S authentication and authorization, but also leverages the concept of automated deployment of services roles in Keycloak, streamlining role management and enhancing overall system security, reliability, and scalability.

Transient Users in KeyCloak is a new (beta) feature that allows for the creation of users within a session, without the need to store them in the database. This functionality was designed with login architectures in mind where KeyCloak, as an Identity and Access Management (IAM) system, leverages external Identity Providers (IdPs). During our presentation, we will showcase a case study (use-case) that we implemented for a corporate client. We will share why this KeyCloak feature proved to be particularly useful in our scenario, explain how we implemented it, and discuss the lessons learned from integrating this feature into the overall project.

Overview: This presentation introduces an advanced group management extension for Keycloak, aimed at providing greater flexibility and control over group memberships. Our goal is to overcome the limitations of Keycloak's hierarchical groups and eventually integrate this extension into Keycloak's core features.
Problem: Keycloak's current group system lacks essential capabilities, including the assignment of specific roles within groups, support for defining membership start and end dates, and functionality for tracking membership status, such as active, pending, or suspended.
Solution: Our extension addresses these limitations with several key features. It enables distinct roles for members, allows admins to define when memberships activate and expire, and permits users to be manually updated or removed based on configuration. Membership status management includes full membership status, pre-configured future memberships, and temporary deactivation of membership.
Empowering Group Administrators: This extension empowers group administrators by allowing them to manage their own and child groups independently, handle enrollment requests or invitations, and either manually or on-demand remove users from groups (versus automatically, once their membership expires), ensuring cleaner group management.
Enhanced User Experience: To improve usability, new menus in user and admin consoles simplify group management. Automated email notifications inform users and admins about key events like invitations and membership changes.
Development and Future Integration: Currently implemented as a Keycloak extension (plugin), this functionality allows for easy integration without core modifications. Given its significant value, we believe it should be considered for integration into Keycloak's core features. We will also demonstrate the code structure and how the extension interfaces with Keycloak's architecture.

One of our projects moved from a proprietary OAuth service to Keycloak. To ensure a smooth transition, we migrated all existing sessions to Keycloak to prevent users from being logged out despite the migration to a completely new SSO Server. In this talk we explore how Keycloak manages sessions, how they relate to tokens and how we achieved the "live migration" to Keycloak without any user noticing.

Using Terraform to automate provisioning and configuration of Keycloak implements a repeatable and version-controlled method to manage Keycloak. Additionally, reusable Terraform modules allow engineers to to provision resources like OIDC clients in their respective code repositories. To ensure a controlled, secure and predictable Keycloak setup, thorough testing is a crucial part of this architecture. In this talk, we will cover how to test and validate customized Keycloak setups by leveraging Kotlin-based integration tests. Using Kotlin's concise and expressive language features, we can write integration tests that confirm the correctness of the Terraform-provisioned Keycloak configurations. These tests will ensure that realms, authentication flows, and client settings behave as expected, reducing the risk of configuration errors in production.