Keycloak DevDay 2025

March 6, 2025 Darmstadt, Germany
The Community Class Reunion for
Keycloak Developers
1
Day
120+
Attendees
18+
Talks + Keynote
25+
Speakers + Maintainers

About Keycloak DevDay

Keycloak is an awesome open source identity and access management solution, owned by the CNCF, driven by a huge community and with strong support from Red Hat. The Keycloak DevDay (Developer Day) invites everyone involved using Keycloak to provide its value to customers and employees in using digital products and services! Meet maintainers, extension-developers, operators and others to talk about Keycloak a full day!

Why Join Us

  • Meet maintainers of Keycloak
  • Meet other developers extending Keycloak
  • Discover best-practices for operating Keycloak
  • Learn from others using Keycloak
  • Grow your Keycloak related network
  • Free amazing Keycloak DevDay gift!

Event Starts In:

Speakers

We are delighted to be able to present you with a high-quality speaker line-up consisting of leading Keycloak developers, maintainers & experts.
Abdessamad Temmar
Abdessamad Temmar
Application & Product Security Engineer
Alexander Schwartz
Alexander Schwartz
Principal Software Engineer
Red Hat Inc.
Bartosz Bednarek
Bartosz Bednarek
Head of Engineering
finmid
Bastian Ike
Bastian Ike
Keycloak expert
Bare.ID GmbH
Dominik Schlosser
Dominik Schlosser
Software Architect & Developer
Freelancer
Erik Jan de Wit
Erik Jan de Wit
Software Engineer
Red Hat Inc.
Florian Rademacher
Florian Rademacher
IT Consultant
codecentric AG
GR Patil
GR Patil
Co-Founder | CEO
Phase Two Inc.
Jeff Patzer
Jeff Patzer
Co-Founder
Phase Two Inc.
Joseph Garrone
Joseph Garrone
Tech Lead European Data Science Platform
Insee
Maik Kingma
Maik Kingma
Technical Lead & Software Architect
BMW Financial Services Nederland
Martin Bartoš
Martin Bartoš
Senior Software Engineer
Red Hat Inc.
Max Maass
Max Maass
Senior Security Specialist
iteratec
Sven-Torben Janus
Sven-Torben Janus
Principal Software Architect
Conciso GmbH
Thomas Darimont
Thomas Darimont
Digital Identity Consultant
Identity Tailor GmbH

Pre-Conf Event

We are delighted to kick off this year's Keycloak DevDay 2025 with an exciting pre-event: a Hackathon all about Keycloak! This hackathon will take place the day before DevDay, on March 5, 2025 from 10:00 am. It offers all participants who arrive early a great opportunity to exchange ideas with the community, collaborate and realize ideas even before the main event.

To take part in the hackathon, please get a free ticket through our ticket shop - we look forward to seeing you and your ideas!

Grab your free ticket!


Overview of Talks

We're currently building the schedule, please allow us some time.
In the meantime, enjoy the list of all talks @ Keycloak DevDay 2025:

Keynote: How to benefit from the latest Keycloak features

Alexander Schwartz Alexander Schwartz, Red Hat Inc.
Keycloak delivers multiple updates every year. To benefit from new features, and to stay up to date with the latest security fixes, you need to upgrade. At the same time an upgrade might bring breaking changes and can lead to downtimes. So how should you approach this?

In this talk you'll learn how to upgrade with confidence in a timely manner and with less effort.

After a short recap of the latest Keycloak features, this talk shows how to navigate the release schedule of Keycloak and explains how preview and deprecated features work. It also shows how to prepare for the next upgrade using the resources provided by the Keycloak project, and what additional measures you should take in your deployment and test pipelines to smoothen the upgrade process. Finally, it will detail how you provide feedback to the Keycloak project ahead of an upcoming release.

Mastering Access Control: Low-Code Authorization with ReBAC, Decoupling Patterns and Policy as Code

Martin Besozzi Martin Besozzi, -
The talk shows the integration between Keycloak and OpenFGA for Fine-Grained Authorization based on ReBAC. Both platforms are integrated with a custom extension where the authorization model is synchronized. As the PEP (Policy Enforcement Point), I added an identity-aware API gateway (Apache APISIX) to enforce authorization and decouple it from the backend. The gateway uses a custom plugin that supports Relationship-Based Access Control (ReBAC) policies. Based on this approach, the goal was to implement Policy as Code (PaC), decouple authorization logic, and offer Low-Code Authorization.

Introducing Keycloakify - A Keycloak theme creation framework

Joseph Garrone Joseph Garrone, Insee
An in-depth exploration of Keycloakify (https://keycloakify.dev): what it is, its key features, and how to get started with it.

Customize Keycloak with Ease: New UI Component Libraries

Erik Jan de Wit Erik Jan de Wit, Red Hat Inc.
Join us to discover how our new npm packages are transforming Keycloak customization. Learn how to rapidly build stunning and functional account and admin consoles using our pre-built React components based on PatternFly. We'll walk you through the core packages, demonstrate the quickstart tool, and share real-world examples of how these components can be used to create exceptional user experiences.

The Event Sorcerer with the Keycloak: The Battle against Dynamic Configuration

Maik Kingma Maik Kingma, BMW Financial Services Nederland
In the evolving realm of Identity and Access Management (IAM), only the most skilled (event) sorcerers can harness the true power of "the Keycloak".
Continue the epic journey from last years DevDay session "IAM Doomsday Prepper: Surviving the Apocalypse with Keycloak" and delve into the art of dynamic, replayable configuration through the power of event sourcing.
Discover how to extend static configurations with sets of dynamic event driven configuration, making your IAM projects resilient against change and highly adaptable. Learn the secrets of coding, versioning, and replaying configurations, ensuring your Keycloak setup is robust, future-proof and, most of all, dynamic.
Join us for a session that blends technical mastery with the lore of IAM, equipping you with the knowledge to wield dynamic configuration like a true sorcerer. By the end, your Keycloak projects will be fortified, ready to face any IAM challenge ahead.

Unlocking adaptive authentication with Keycloak

Martin Bartoš Martin Bartoš, Red Hat Inc.
As digital threats continuously evolve, traditional authentication methods often fall short and are insufficient in today's dynamic security landscape. It needs to adapt to different risk levels and ever-changing contexts, such as user location, device, and behavior, to ensure a secure and user-friendly experience.
This presentation introduces the importance of adaptive authentication within Keycloak, showcasing how modern techniques combined with machine learning can transform identity and access management.
This allows server administrators to detect anomalies and respond to emerging threats more effectively, ensuring that sensitive resources are protected. We provide step-by-step guidance and a demo on configuring and deploying these techniques in your Keycloak environment.

Cloud Native Keycloak

Dominik Schlosser Dominik Schlosser, Freelancer
We run Keycloak in truly cloud native fashion: GitOps-Deployment to a Kubernetes Cluster (with Istio Service Mesh), Zero Downtime Upgrades even during peak usage times (~1200 Req/s with ~20 Mio users), extensive custom metrics and alerts, file-based realm configuration.
In this talk I will deep dive into how we do it, what it took to get there and why we believe it was worth it and even try to push some of it upstream.

Auth.it! Reimagining the Keycloak Admin UI for B2B SaaS

GR Patil GR Patil, Phase Two Inc.
Jeff Patzer Jeff Patzer, Phase Two Inc.
While comprehensive, the Keycloak Admin UI can be intimidating and hard to approach as a beginner. We present how we used a user and task focused design to create a new admin experience targeted at B2B SaaS companies. Our use-case driven methodology allowed us to massively reduce complexity and time to achieve the most common configuration and management goals. Additionally, we peek under the covers to show how we built it, along with existing and new extensions to make it possible.

Strengthening Security in Keycloak: An Introduction to the Shared Signals Framework

Thomas Darimont Thomas Darimont, Identity Tailor GmbH
As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner.
This talk introduces the Shared Signals Framework and explains how it enhances security and operational efficiency in modern identity ecosystems. We'll explore how SSF can be supported in Keycloak to enable real-time event-driven communication between providers and relying parties. Attendees will learn how Keycloak can help to detect and mitigate threats, and improve overall system security with SSF.

Token Exchange: Keycloak's Secret Weapon for Platforms

Sven-Torben Janus Sven-Torben Janus, Conciso GmbH
As platform developers, we're constantly challenged to build systems that are secure, scalable, and ready for anything. But how do you maintain robust security without sacrificing flexibility? Enter OAuth 2.0 Token Exchange in Keycloak — a powerful tool that's transforming the way we manage identity and access across complex architectures.
In this session, we'll explore how to use Keycloak's token exchange capabilities to tackle the toughest problems in platform development: securing microservice communications, handling dynamic authorization across distributed systems, and enabling seamless Single Sign-On across multiple domains. We'll dive deep into real-world use cases, share expert tips on configuring Keycloak for advanced token exchange scenarios, and reveal how you can leverage these capabilities to build platforms that are not just secure, but also agile and responsive to change.
Whether you're building cloud-native apps, orchestrating microservices, or securing APIs, this talk will provide the practical knowledge you need to harness the full power of OAuth 2.0 Token Exchange with Keycloak. Don't miss your chance to redefine your platform's identity strategy and keep your systems ahead of the curve!

Lightweight and Repeatable Integration Testing of Keycloak Extensions

Florian Rademacher Florian Rademacher, codecentric AG
Keycloak extensions are often required to interact with the APIs of other systems, e.g., for the migration of customers from CRM systems to Keycloak users or for progressive profiling. While Keycloak's potential for such interactions is an important business requirement, it also calls for integration testing and thus makes extension testing more challenging: How to set up and maintain repeatable testing environments? How to ensure continued availability of such environments and still keep the maintenance effort low? How to mock other systems for which only their APIs and access to their production environments is known, but that do not provide any support for testing interactions with external parties? The talk goes into these issues based on experiences with the development of a real-world, non-trivial Keycloak extension for user migration. Specifically, the talk presents (i) ingredients to set up repeatable integration testing environments for Keycloak extensions with the Testcontainers framework; (ii) the automation of such setups so that local testing becomes possible; and (iii) Testcontainers Modules for flexible API mocking, and verifying custom scopes and claims in OIDC tokens. To this end, the talk focuses on a stripped down use case from the real-world Keycloak extension, in which a users logs into another system by means of a dedicated login form whose authenticator checks the user's credentials with the other system and in case of success creates a corresponding Keycloak user ("implicit user migration").

Keycloak's Compliance with Security Specifications : from OAuth 2.0, OIDC to OID4VCI

Takashi Norimatsu Takashi Norimatsu, Hitachi Ltd.
Supporting security specifications (standards) is important for Keycloak especially if we use Keycloak in our services and Keycloak have supported many security specifications (standards). In a first of this talk Takashi describes the meaning of supporting a security specification and propose a level of assurance of conformity with specifications. Takashi also tells which security specifications Keycloak supported. In a last half of this talk, Takashi picks up one specification among them: OpenID for Verifiable Credentials (OID4VCI). In Europe, interest in De-centralized Identity (DID) and Self-sovereign identity (SSI) are increasing as the European Commission released "The European Digital Identity Wallet Architecture and Reference Framework" for eIDAS 2.0. The latest Keycloak supported an experimental feature OpenID for Verifiable Credential Issuance (OID4VCI) for this emerging paradigm of identity by keycloak's community like OAuth SIG. Takashi describes the latest updates about OID4VCI support and describes how to use Keycloak to issue a Verifiable Credential in detail.

kcwarden: Finding and Fixing Keycloak Config Issues

Max Maass Max Maass, iteratec
Keeping a complex Keycloak configuration secure is no easy feat. Configuration drift and unintended changes can turn what was once a secure configuration into one that is wide open to attacks - and taking stock of a configuration that has been created over multiple years of operation can be a daunting task. No matter if you are a administrating your own Keycloak or called in to perform a security audit, automation can be essential in ensuring you can quickly find and fix configuration issues, and detect new ones when they show up. We developed kcwarden, an Open Source tool that assists in finding common security issues and establishing custom guardrails that can alert you about dangerous configuration changes specific to your environment. In this talk, I will present how kcwarden can be used in your workflows. After the presentation, I'd be happy to get your views on the future direction of the tool in an Unconference session.

Five Deadly Sins When Using Keycloak for SSO

Abdessamad Temmar Abdessamad Temmar, -
Over recent years, the threat landscape for highly targeted organizations has significantly evolved. When attackers fail to steal user credentials, they will pivot instead to stealing authentication proofs from users. OAuth, a widely adopted protocol, plays a crucial role in safeguarding against these threats. However, its effectiveness can be severely compromised by mis-implementations at both the application and authorization service levels. This presentation will cover the five most critical mistakes —""deadly sins""— committed by architects and developers when using Keycloak to implement SSO with OAuth. These errors can lead to the compromise of user sessions, making organizations vulnerable to attacks. Additionally, we will discuss current/upcoming improvements in the OAuth specification and implementation strategies that can mitigate these risks, and how Keycloak aligns with these practices.

Secure Service-to-Service Communication: Leveraging OIDC with Keycloak and mTLS for Robust Authentication and Authorization

Denisa Minescu Denisa Minescu, Lenovo
Tiberius Hodoroaba Tiberius Hodoroaba, Lenovo
This refers to a system that enables secure communication between services by utilizing OpenID Connect (OIDC) with Keycloak and x509 certificate-based mutual Transport Layer Security (mTLS). This approach not only ensures robust S2S authentication and authorization, but also leverages the concept of automated deployment of services roles in Keycloak, streamlining role management and enhancing overall system security, reliability, and scalability.

KeyCloak Transient Users vs Corporate Security Policy - use case study for custom-flow Keycloak deployment

Waldemar Korłub Waldemar Korłub, Inero Software
Transient Users in KeyCloak is a new (beta) feature that allows for the creation of users within a session, without the need to store them in the database. This functionality was designed with login architectures in mind where KeyCloak, as an Identity and Access Management (IAM) system, leverages external Identity Providers (IdPs). During our presentation, we will showcase a case study (use-case) that we implemented for a corporate client. We will share why this KeyCloak feature proved to be particularly useful in our scenario, explain how we implemented it, and discuss the lessons learned from integrating this feature into the overall project.

Enhancing Group Management in Keycloak: A Flexible Extension for Dynamic Membership Control

Georgilakis Konstantinos Georgilakis Konstantinos, GRNET
Andreas Kozadinos Andreas Kozadinos, GRNET
Overview: This presentation introduces an advanced group management extension for Keycloak, aimed at providing greater flexibility and control over group memberships. Our goal is to overcome the limitations of Keycloak's hierarchical groups and eventually integrate this extension into Keycloak's core features.
Problem: Keycloak's current group system lacks essential capabilities, including the assignment of specific roles within groups, support for defining membership start and end dates, and functionality for tracking membership status, such as active, pending, or suspended.
Solution: Our extension addresses these limitations with several key features. It enables distinct roles for members, allows admins to define when memberships activate and expire, and permits users to be manually updated or removed based on configuration. Membership status management includes full membership status, pre-configured future memberships, and temporary deactivation of membership.
Empowering Group Administrators: This extension empowers group administrators by allowing them to manage their own and child groups independently, handle enrollment requests or invitations, and either manually or on-demand remove users from groups (versus automatically, once their membership expires), ensuring cleaner group management.
Enhanced User Experience: To improve usability, new menus in user and admin consoles simplify group management. Automated email notifications inform users and admins about key events like invitations and membership changes.
Development and Future Integration: Currently implemented as a Keycloak extension (plugin), this functionality allows for easy integration without core modifications. Given its significant value, we believe it should be considered for integration into Keycloak's core features. We will also demonstrate the code structure and how the extension interfaces with Keycloak's architecture.

Live-migrating millions of sessions to Keycloak

Bastian Ike Bastian Ike, Bare.ID GmbH
One of our projects moved from a proprietary OAuth service to Keycloak. To ensure a smooth transition, we migrated all existing sessions to Keycloak to prevent users from being logged out despite the migration to a completely new SSO Server. In this talk we explore how Keycloak manages sessions, how they relate to tokens and how we achieved the "live migration" to Keycloak without any user noticing.

Integration Testing of Keycloak Terraform Modules

Fabian Böttcher Fabian Böttcher, finmid
Bartosz Bednarek Bartosz Bednarek, finmid
Using Terraform to automate provisioning and configuration of Keycloak implements a repeatable and version-controlled method to manage Keycloak. Additionally, reusable Terraform modules allow engineers to to provision resources like OIDC clients in their respective code repositories. To ensure a controlled, secure and predictable Keycloak setup, thorough testing is a crucial part of this architecture. In this talk, we will cover how to test and validate customized Keycloak setups by leveraging Kotlin-based integration tests. Using Kotlin's concise and expressive language features, we can write integration tests that confirm the correctness of the Terraform-provisioned Keycloak configurations. These tests will ensure that realms, authentication flows, and client settings behave as expected, reducing the risk of configuration errors in production.

Tickets

Please buy your ticket through our Pretix ticket shop:

What's included?

  • Many talks from maintainers, industry-leading and community speakers
  • Participation hands-on Hackathon the day before the event
  • Access to an afterwork-party (food/drinks not included)
  • FREE drinks, refreshments, coffee and lunch during the event
  • FREE Keycloak Gift for all participants

Venue

Location

greet Hotel Darmstadt
Hilpertstrasse 27
64295 Darmstadt
Germany

https://www.greethoteldarmstadt.com

  • Frankfurt Airport is around the corner,
    only 25 Minutes by direct-connection bus to Darmstadt Main Station
  • only 15 Minutes walk from Darmstadt Main Station
  • Bus Stop (public transport) right in front of the Hotel
  • FREE Parking for conference attendees (included in ticket fare)

Directions

Please use Google Maps to find out how to get there.

Google Maps

Facilities & Accommodations

We offer a limited contingent of hotel rooms with a special rate, you'll find the information about the code and contact info in the payment confirmation email after you purchased your ticket(s).

A big 'Thank You' to our Sponsors & Partners

Keynote-Sponsor