Hubbry Logo
KeycloakKeycloakMain
Open search
Keycloak
Community hub
Keycloak
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Keycloak
Keycloak
Keycloak
View on Wikipedia
from Wikipedia
Keycloak
DevelopersWildFly, a division of Red Hat
Initial releaseSeptember 10, 2014 (2014-09-10)
Stable release
26.4.2 / 23 October 2025[1]
Repositorygithub.com/keycloak/keycloak
Written inJava
PlatformJava
TypeSingle sign-on system
LicenseApache License 2.0
Websitekeycloak.org Edit this at Wikidata

Keycloak is an open-source software product to allow single sign-on with identity and access management aimed at modern applications and services. Until April 2023, this WildFly community project was under the stewardship of Red Hat, who use it as the upstream project for their Red Hat build of Keycloak. In April 2023, Keycloak was donated to the CNCF and joined the foundation as an incubating project.[2]

Keycloak supports various protocols such as OpenID, OAuth version 2.0 and SAML and provides features such as user management, two-factor authentication, permissions and roles management, creating token services, etc.[3] It is possible to integrate Keycloak with other technologies, such as front-end frameworks like React or Angular, as well as containerization solutions like Docker.[4]

History

[edit]

The first production release of Keycloak was in September 2014, with development having started about a year earlier. In 2016, Red Hat switched the RH SSO product from being based on the PicketLink framework to being based on the Keycloak upstream Project.[5] This followed a merging of the PicketLink codebase into Keycloak.[6][7]

To some extent Keycloak can now also be considered a replacement of the Red Hat JBoss SSO open source product which was previously superseded by PicketLink.[8][9] As of March 2018, JBoss.org is redirecting the old jbosssso subsite to the Keycloak website. The JBoss name is a registered trademark and Red Hat moved its upstream open source projects names to avoid using JBoss, JBoss AS to Wildfly being a more commonly recognized example.[10]

Components

[edit]

There are two main components of Keycloak:

  • Keycloak server, including the API and graphical interface.
  • Keycloak client. Previously Keycloak included a set of 'adapter' libraries, but those were discontinued in 2022.[11]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Keycloak

View on Grokipedia
from Grokipedia
Keycloak is an open-source identity and access management (IAM) solution that provides (SSO), , , and user federation capabilities for modern applications and services. Developed to simplify security integration, it enables developers to secure web and mobile applications without building custom user management systems, supporting standards such as Connect, 2.0, and SAML 2.0. Originally initiated as a associated with JBoss technologies, Keycloak has evolved into a widely adopted tool maintained by an active open-source community under the (CNCF) umbrella. At its core, Keycloak operates as a standalone server that handles user authentication and issues secure tokens containing identity and permissions data, allowing applications to verify access without storing sensitive user information. Key features include identity brokering for integrating with social networks or existing identity providers, user federation with LDAP or Active Directory, fine-grained authorization services, and customizable user interfaces for login, registration, and account management. It supports high availability through clustering, theming for branding, and extensibility via service provider interfaces (SPIs) for custom functionality. Keycloak's architecture revolves around realms, isolated spaces for managing users, clients, and roles, which facilitates multi-tenancy and secure across different applications or organizations. The solution includes an administrative console for central configuration of realms, users, and policies, as well as an account console where users can manage their profiles, sessions, and two-factor authentication setups. Deployable via containers like Docker or on platforms such as , it emphasizes performance and scalability for enterprise environments.

Overview

Introduction

Keycloak is an open-source identity and access management (IAM) solution designed to add and to applications and services with minimal configuration. Its primary purpose is to enable (SSO), centralized user management, and secure , allowing applications to delegate identity handling rather than implementing it internally. This approach reduces the complexity of security implementation for developers, providing ready-to-use features such as customizable interfaces, user registration, and account management. Keycloak targets modern use cases including web applications, RESTful web services, architectures, and cloud-native environments, where scalable and integrated identity solutions are essential. It supports seamless integration with existing identity providers like LDAP, , and social platforms such as and , facilitating user federation and . Key benefits include accelerated development by offloading security concerns, enhanced scalability for distributed systems, and support for standards like OpenID Connect and OAuth 2.0 to ensure interoperability. By centralizing and , it promotes secure, efficient management across diverse ecosystems.

Licensing and Development

Keycloak is distributed under the 2.0, a permissive that allows users to freely use, modify, and distribute the software for any purpose, provided that copyright notices and the license terms are preserved in all copies or substantial portions of the software. This licensing model encourages widespread adoption while ensuring compatibility with both open-source and proprietary projects. The development of Keycloak is primarily maintained by , which sponsors the project as part of its JBoss community initiatives, with core contributions and oversight provided by a dedicated team of maintainers. Contributions from the broader developer community are welcomed and integrated through pull requests on the project's repository, following a contributor guide that emphasizes code quality, testing, and adherence to the Developer Certificate of Origin. This collaborative model has fostered steady evolution, with maintainers reviewing and merging enhancements that align with the project's roadmap. The Keycloak community comprises developers and organizations worldwide who actively participate via discussion forums, issue trackers, and annual events such as KeycloakCon—a half-day conference co-located with KubeCon—and Keycloak DevDay, which feature technical talks, workshops, and networking opportunities. bolsters this ecosystem with enterprise-grade support through its build of Keycloak, a downstream distribution offering long-term stability, security updates, and certified integrations for production environments. is handled by the maintainers, who prioritize features, manage releases, and ensure alignment with community needs. In April 2023, Keycloak joined the (CNCF) as an incubating project, and remains an incubating project as of November 2025, promoting its adoption in cloud-native architectures through alignment with , OpenTelemetry, and other CNCF standards for scalable, resilient identity management.

History

Origins and Early Development

Keycloak originated in 2013 as an open-source project initiated by developers within the JBoss community at , aimed at filling gaps in available (SSO) solutions tailored for Java-based applications and services. The project was co-led by Bill Burke and Stian Thorgersen, with contributions from a core team including Gabriel Cardoso, Viliam Rockai, Bolesław Piech, and Alexandre Mendonça, all affiliated with Red Hat's JBoss division. The primary motivations for Keycloak's creation were to provide a lightweight, standards-compliant alternative to proprietary identity and access management (IAM) tools, emphasizing ease of integration for browser applications, RESTful services, and social authentication providers. Drawing inspiration from the existing PicketLink project—particularly its capabilities—the developers sought to extend beyond PicketLink's primary focus on SAML to incorporate broader support for protocols like OAuth 2.0, while leveraging PicketLink components where appropriate. This approach addressed the need for centralized user authentication, , and management in modern web and mobile ecosystems without relying on . Early development commenced with prototyping in July 2013, building on prior work from the RESTEasy project's module and a social broker service. The first alpha release followed in December 2013, prioritizing OAuth 2.0 bearer token support, social login integrations (such as and ), user self-registration, and an administrative console. Keycloak achieved production readiness with its inaugural stable release, version 1.0, on September 18, 2014, which stabilized database schemas, enhanced performance, and refined interfaces (SPIs) to enable reliable basic SSO deployments. This milestone marked the project's maturation from experimental code to a deployable solution compatible with JBoss AS7, EAP 6.x, and servers.

Major Releases and Milestones

Keycloak's development has seen steady evolution through major version releases, each introducing significant enhancements to its identity and access management capabilities. The project began with its first production release in September 2014, but major milestones from 2015 onward marked key advancements in protocol support, runtime improvements, and enterprise integrations. The first major version, 2.0.0, released in February 2015, introduced enhanced support for , enabling broader federation with legacy systems alongside its core OpenID Connect and OAuth 2.0 features. In 2016, integrated Keycloak as the upstream project for Red Hat Single Sign-On (RH-SSO) 7.0, providing enterprise support and aligning community development with commercial offerings for improved stability and security patching. Version 10.0.0, released in April 2020, brought the new account management console, allowing users to self-manage profiles, sessions, and applications through a modern, customizable interface. A pivotal shift occurred with version 15.0.0 in July 2021, which previewed a Quarkus-based distribution to replace the legacy runtime, delivering substantial performance gains, faster startup times, and better resource efficiency for containerized deployments. By 2020, Keycloak had achieved widespread adoption, powering authentication in major ecosystems via integrations like oauth2-proxy and native operators, as well as cloud platforms such as AWS and Azure for SSO services. In July 2023, version 22.0.0 completed the migration to from Java EE, updating the codebase to support modern enterprise Java standards and ensuring compatibility with 3.x for enhanced modularity. In April 2023, Keycloak was accepted into the (CNCF) as an incubating project. The 26.x series, starting with 26.0.0 in October 2024, focused on compliance and emerging standards, including experimental support for for Verifiable Credential Issuance (OID4VCI), enabling credential issuance flows for decentralized identity use cases. As of November 2025, releases like 26.4.0 in September 2025 emphasized high-availability clustering improvements, such as optimized multi-site architectures with persistent user sessions by default, full compliance with FAPI 2.0 Security Profile and Message Signing, and official support for Demonstrating Proof-of-Possession (DPoP) to support large-scale deployments.
VersionRelease DateKey Milestones
2.0.0February 2015 federation support
RH-SSO 7.0June 2016 (aligned with Keycloak 1.9) enterprise integration
10.0.0April 2020Account management console introduction
15.0.0July 2021 runtime preview for performance
22.0.0July 2023 migration
CNCF IncubatingApril 2023Acceptance into CNCF
26.0.0October 2024OID4VCI experimental
26.4.0September 2025FAPI 2.0 compliance, HA clustering enhancements, DPoP support

Core Concepts

Realms and Isolation

In Keycloak, a serves as the foundational logical isolation boundary, encapsulating a set of users, clients (applications), roles, groups, and policies within a single that functions similarly to a tenant in multi-tenant architectures. This structure ensures that resources and configurations within one realm remain segregated from others, preventing unauthorized access or data leakage across boundaries and thereby enhancing in shared deployments. Users authenticate and log into a specific realm, which manages their credentials and associated entities exclusively. Each supports independent configuration options, including flows, login themes, email settings, SSL modes, and identity providers, allowing administrators to tailor behaviors without affecting other realms. The master , a default administrative created upon initial setup, is reserved exclusively for managing realms and performing system-wide administrative tasks, such as creating new realms or configuring global server settings; it does not handle end-user . This separation promotes multi-tenancy by enabling a single Keycloak instance to support distinct environments, such as development versus production, or isolated customer partitions, where data and policies for one tenant (e.g., an enterprise's internal users) do not intersect with another (e.g., external partners). Realm management occurs primarily through the Keycloak Admin Console, where administrators can create new via a simple form-based interface, specifying a unique name and initial settings. For migration or replication purposes, realms can be exported as files—either individually from the Admin Console or in bulk via command-line tools like the Keycloak CLI—capturing the full configuration including users, clients, roles, and policies; these files can then be imported into another instance, though exports from the console are not recommended for production backups due to potential inconsistencies during large-scale operations. Within a , clients and users interact as core entities, with clients representing applications that request and users being the authenticated principals assigned roles for access control.

Clients, Users, and Roles

In Keycloak, clients represent applications or services that register with a to leverage its and capabilities. These entities are configured with essential attributes such as a unique client ID, a human-readable name, and an access type—typically confidential for server-side applications requiring client secrets, public for browser-based or mobile apps without secrets, or bearer-only for services that do not initiate but validate . Additional configurations include valid redirect URIs to prevent open redirect attacks, protocol selection (e.g., OpenID Connect or SAML), and token settings like lifespans. Clients can also define their own scopes, which bundle permissions or claims to request during flows. Users in Keycloak are individual accounts managed within a specific , serving as the primary entities that authenticate and access protected resources. Key attributes include a unique username, , first name, last name, and credentials such as s or one-time s (OTP) for . Users support self-registration if enabled in settings, and their profiles can be customized via attribute schemas that define required fields, validations (e.g., format), and permissions for viewing or editing attributes in contexts like registration or the account console. Session tracks active user sessions, with features like consent screens allowing users to approve client access to their profile data before token issuance. Required actions, such as resets or verification, can be enforced per user or as defaults during . Roles in Keycloak provide a mechanism for (RBAC), categorizing permissions that dictate what users or clients can do within a . There are three main types: roles, which apply globally across the (e.g., "admin" for broad administrative privileges); client roles, which are namespaced to a specific client for granular control (e.g., "editor" within a particular application); and composite roles, which inherit permissions from other roles to simplify management (e.g., a "manager" composite including both "viewer" and "editor" roles). Roles include basic attributes like name and description, and they can be assigned directly to users or inherited via group membership. Client-specific roles are managed under each client's settings in the admin console, ensuring isolation from other clients. The interplay among clients, users, and enables fine-grained within a , which acts as the isolation boundary for these entities. Users are assigned through the role mappings tab in their profile, granting them permissions that are evaluated during ; for instance, a user with the "admin" might access administrative endpoints across multiple clients. Clients request specific scopes during token issuance, which map to —only users possessing the corresponding receive tokens with the approved scopes, enforcing at the application level. This relationship supports mechanisms, where users explicitly approve role-based access, and service accounts on clients can impersonate for machine-to-machine interactions without user involvement. Composite streamline assignments by propagating permissions hierarchically, reducing administrative overhead while maintaining .

Architecture

Server Components

The Keycloak server features a web-based Admin Console that serves as the primary interface for administrators to manage realms, configure users and roles, and audit events. Accessible typically at http://[localhost](/page/Localhost):8080/admin/ after logging in with administrative credentials, it provides tools for creating and isolating realms, assigning roles to users and clients, and viewing event logs for activities such as logins, logouts, and administrative changes. The console supports customization through themes and includes sections for user management, such as required actions like password resets, and session monitoring to ensure secure oversight of the identity provider's operations. Complementing the Admin Console is the Account Management Console, a user-facing portal designed for tasks that empowers end-users to manage their own accounts without administrative intervention. Users access it via a realm-specific , such as http://localhost:8080/realms/{realm-name}/account, where they can update personal profiles, reset passwords, configure two-factor like OTP, view active sessions, and manage linked identity providers or federated accounts. Features like account deletion and credential can be enabled or restricted by administrators through settings, ensuring compliance with organizational policies while promoting user autonomy. At the backend, Keycloak includes essential services such as the token endpoint, which handles 2.0 and OpenID Connect flows by issuing access , ID , and refresh upon successful . This endpoint, located at /realms/{realm}/protocol/openid-connect/token, supports grant types like authorization code, client credentials, and resource owner password credentials, allowing clients to securely obtain for access or user sessions with configurable expiration times, such as the default of five minutes for access . Event listeners provide and auditing capabilities by capturing and processing events such as user registrations, logins, and admin actions, which can be stored in the database or forwarded to external systems for compliance and security monitoring; predefined listeners like jboss-logging output to server logs, while custom ones can be developed for specialized needs. The Service Provider Interface (SPI) enables extensibility by allowing developers to implement custom providers for , themes, or user storage, deployed as files in the providers/ directory followed by a server build command like bin/kc.sh build. For storage, Keycloak defaults to an Infinispan cache to manage user sessions, tokens, and transient data efficiently in memory, optimizing performance for high-traffic scenarios while supporting clustering for distributed environments. It also accommodates external relational databases like for persistent storage of realms, users, and events, configured via properties such as db=postgres, db-url, db-username, and db-password in keycloak.conf or environment variables, with JDBC drivers required for connectivity to ensure data durability beyond in-memory caching. This hybrid approach balances speed with reliability, allowing administrators to switch storage backends without altering core server logic.

Deployment and Scalability

Keycloak supports multiple deployment modes to accommodate various environments, from simple setups to complex, containerized infrastructures. The standalone distribution allows deployment on physical or virtual servers using , where administrators download and run the JAR file directly for quick prototyping or small-scale use. For containerized environments, Keycloak provides official Docker images optimized for production, enabling easy integration with orchestration tools and pipelines. In clusters, the Keycloak Operator facilitates automated deployment, scaling, and management, handling tasks like custom resource definitions for realms and configurations. Since version 17, Keycloak has transitioned to a Quarkus-based distribution, supporting native compilation for reduced and faster startup times, which enhances performance in resource-constrained settings. For production environments, Keycloak requires specific configurations to ensure security, reliability, and performance. enforcement is mandatory, achieved by configuring TLS certificates and enabling strict transport security via the kc https-certificate options or integration. configuration sets the public-facing for endpoints, with best practices recommending separate hostnames or paths for administrative interfaces to isolate them from user-facing services. Database tuning involves selecting a robust like , optimizing connection pools, and enabling features such as prepared statements to handle high query loads. Caching is configured using the embedded Infinispan for local sessions or external stores like for distributed persistence, reducing database strain in multi-node setups. Scalability in Keycloak is achieved through clustering and horizontal expansion to manage high traffic and ensure high availability. Clustering relies on JGroups for node discovery and communication, integrated with Infinispan for distributed caching of sessions, realms, and authentication data across nodes. Horizontal scaling involves deploying multiple instances behind a load balancer, where throughput scales linearly until bottlenecks in the database or cache occur; Kubernetes deployments can use Horizontal Pod Autoscalers to dynamically adjust replicas based on CPU or custom metrics. Metrics export to Prometheus is built-in, allowing monitoring of key indicators like request latency, error rates, and cache hit ratios to inform scaling decisions. As of 2025, best practices for Keycloak deployments emphasize dual-stack support, which is enabled by default for broader network compatibility without additional configuration. Zero-downtime upgrades are recommended using rolling updates via the Operator, ensuring seamless transitions between patch releases by maintaining active nodes during the process.

Features

Authentication Mechanisms

Keycloak provides a flexible framework for , enabling secure verification of users and clients through configurable flows that integrate various mechanisms. These flows orchestrate a sequence of authenticators, forms, and actions during processes like , registration, and recovery, ensuring isolation of credentials from applications while issuing signed for access. Built-in flows can be customized to meet specific requirements, supporting both standard and advanced scenarios without external dependencies. The primary authentication flows include the browser-based flow, direct grant flow, and client credentials flow. In the browser-based flow, users are redirected to the Keycloak login page to enter credentials, facilitating (SSO) and protecting against by keeping authentication isolated; this flow is triggered during Connect (OIDC) logins and supports re-authentication policies. The direct grant flow, also known as resource owner password credentials, allows trusted clients to obtain access tokens on behalf of users via calls using username and password, bypassing browser redirection for machine-to-machine or legacy integrations. The client credentials flow enables service accounts for clients to acquire tokens using their client ID and secret, ideal for non-interactive scenarios where no user context is involved. These flows are highly customizable through the Admin Console, where administrators can add, remove, or reorder authenticators—such as username-password forms—and set execution requirements like "Required," "Alternative," or "Disabled" to tailor the authentication sequence. Authenticators extend these flows with specific verification methods, including (OTP) and . OTP supports time-based (TOTP) or counter-based (HOTP) codes generated by apps like or , configurable as a required second factor during setup via the Account Console or admin-initiated email resets. enables passwordless or biometric authentication using hardware tokens or device-bound keys, integrated as an optional or required step in flows for enhanced security against credential theft. As of version 26.3.0, passkeys are integrated into the default username forms for , enabled via the WebAuthn Passwordless Policy. Authorization in Keycloak builds on by enforcing fine-grained through policies tied to resources and scopes. Policies can leverage s for (RBAC), where permissions are granted based on user or client roles; groups for hierarchical membership checks, allowing inheritance of attributes and roles; JavaScript-based rules for complex logic evaluating context like time or location; or (ABAC) using user attributes, claims, or environmental factors. Resource-based permissions associate policies with specific resources (e.g., APIs or files) and scopes (e.g., "read" or "write"), enabling precise enforcement such as allowing a "people-manager" to access a "view-employee" scope on HR resources. These are managed via the Authorization Services, with policies evaluated during token issuance or enforcement points in applications. Session management ensures secure handling of authenticated states with configurable parameters for longevity and integrity. Administrators can adjust session and token lifetimes—such as validity (default 5 minutes for short-lived sessions) and SSO session idle timeouts—via settings to balance and . As of version 26.0.0, persistent user sessions are enabled by default to store session data durably. is supported through "not-before" policies applied at the , client, or user level, pushing invalidation to adapters for immediate token nullification, while admins can sign out all active sessions to clear SSO . Brute-force detection monitors failed attempts, temporarily locking accounts after configurable thresholds (e.g., 5 failures in 5 minutes) and notifying via , with realm-wide enabling under the Brute Force Detection tab. Advanced features like (MFA) and step-up authentication enhance protection for sensitive operations. MFA is implemented by chaining authenticators in flows, requiring OTP or after initial login, with setup prompted during first use or enforced as a required action for all users. Recovery codes, generated during OTP setup, provide a for 2FA authentication and are enforced for setup as of version 26.3.0. Step-up authentication mandates elevated assurance—such as re-authentication or additional factors—for high-risk actions like credential changes or account updates, configurable with maximum session ages (default 5 minutes) to prevent . These mechanisms integrate seamlessly with core concepts like user roles, ensuring policies align with authentication levels without redundant verification.

Identity Brokering and Federation

Keycloak supports identity brokering, which allows the server to act as an intermediary that delegates user authentication to external identity providers (IDPs) supporting OpenID Connect (OIDC) or SAML 2.0 protocols. Since version 26.3.0, Keycloak supports brokering with any OAuth 2.0 compliant authorization server. This enables seamless integration with third-party services, such as social networks, where users can authenticate using their existing accounts without creating new credentials in Keycloak. As of version 26.0.0, multiple instances of social brokers are allowed per realm. For instance, administrators can configure brokering with providers like Google, Facebook, or GitHub by adding an identity provider in the Admin Console, specifying details such as client IDs, secrets, and redirect URIs. During the authentication process, Keycloak redirects the user to the external IDP for , receives an assertion or token upon success, and then maps the received attributes—such as , first name, and last name—to a local Keycloak . If the user does not exist locally, Keycloak can automatically create a new account through just-in-time (JIT) provisioning, or prompt for account linking if an existing Keycloak user matches based on criteria like . This linking process ensures that users maintain a single identity across systems, with options to handle screens where users approve attribute sharing and account association. Custom mappers, configurable per , transform and filter incoming attributes to align with Keycloak's user model, supporting operations like hardcoding values, scripting transformations, or regex-based assignments from claims. In addition to brokering, Keycloak provides user federation to integrate with legacy user stores, synchronizing identities from external directories like LDAP, , or Kerberos without requiring users to re-register. For LDAP or , administrators configure a federation provider in the Admin Console by entering connection URLs, bind credentials, and base DNs, enabling Keycloak to query and validate users against the external store. Synchronization can occur periodically (full or changed users) or on-demand during login, with support for importing users into Keycloak's local database or maintaining a federated mode where credentials remain external. Kerberos integration complements this by allowing SPNEGO-based authentication, where Keycloak uses keytabs and service principal names to negotiate tickets seamlessly with environments. Configuration of both brokering and federation emphasizes flexibility through mappers and flows. Attribute mappers in user federation mirror those in brokering, extracting LDAP attributes (e.g., uid, sn) and mapping them to Keycloak fields, with options for UUID generation or custom logic. The first-broker flow, customizable via the Admin Console, governs initial interactions for brokered users, incorporating steps like email verification, duplicate detection, or review profiles before account creation. Edit modes for federated users—such as READ_ONLY (prevents local changes), WRITABLE (allows updates synced back), or UNSYNCED (local edits not propagated)—provide control over data consistency. These features collectively centralize (SSO) across disparate identity systems, reducing administrative overhead by leveraging existing user bases and minimizing . By handling , attribute transformation, and account linking, Keycloak ensures secure, user-friendly federation that complies with protocols like OIDC and SAML while supporting hybrid environments with legacy stores.

Integrations

Supported Protocols

Keycloak implements several open security protocols to enable secure authentication and authorization for applications and services, ensuring interoperability with diverse systems. These protocols include , OAuth 2.0, and , which form the core of its identity and access management capabilities. Additionally, as of version 26.4 released in September 2025, Keycloak provides support for emerging standards such as Financial-grade API (FAPI) 2.0 and experimental features for . OpenID Connect (OIDC) is fully supported as a certified implementation since version 18.0.0, allowing Keycloak to act as an OIDC provider for securing web and mobile applications. It includes support for the OpenID Connect Discovery 1.0 specification, enabling clients to automatically retrieve endpoint information, and Dynamic Client Registration 1.0 for programmatic client setup. Key features encompass the authorization code flow with Proof Key for Code Exchange (PKCE) for public clients, the implicit flow for browser-based applications, and hybrid flows combining both. Tokens are issued as JSON Web Tokens (JWTs) compliant with RFC 7519, supporting introspection via the OAuth 2.0 Token Introspection endpoint for resource server validation. OAuth 2.0 integration in Keycloak provides robust resource server protection and client authentication, building on its role as an authorization server. It supports core grant types including authorization code, client credentials, and refresh tokens, supporting PKCE (Proof Key for Code Exchange) for enhanced security in authorization code flows—required for public clients—to mitigate authorization code injection attacks. Client authentication methods include client secret basic, private key JWT, and mutual TLS, ensuring secure token issuance and exchange. Resource servers can validate access tokens through or JWT verification, facilitating fine-grained without direct user involvement. SAML 2.0 enables Keycloak to operate in both Identity Provider (IdP) and Service Provider (SP) modes, supporting federation scenarios for legacy and enterprise integrations. As an IdP, Keycloak authenticates users and issues assertions in XML format, secured with digital signatures per the SAML 2.0 Core specification. In SP mode, it consumes assertions from external IdPs for single sign-on. Metadata exchange is fully implemented, allowing automatic configuration via XML descriptors published at dedicated endpoints, such as /realms/{realm}/protocol/saml/descriptor for IdP metadata. This supports browser-based SSO profiles like Web Browser SSO and includes bindings for POST and Redirect methods. For enhanced security in financial and high-risk environments, Keycloak version 26.4 introduces full compliance with FAPI 2.0 Security Profile and FAPI 2.0 Message Signing specifications from the Foundation. These profiles mandate stronger client authentication, such as mutual TLS or DPoP (Demonstrating Proof-of-Possession), and /JARM (JWT-Secured Request) for signing requests to prevent tampering. Additionally, experimental support for OID4VCI enables verifiable issuance using 2.0 and OIDC extensions, allowing Keycloak to act as a in decentralized identity scenarios, though full verification flows remain under development. This feature, introduced progressively since version 25, adapts authorization code flows for batch issuance and supports selective disclosure via SD-JWTs, but is not yet production-ready.

Application Adapters and Extensions

Keycloak provides official client adapters to facilitate the integration of identity and access management into applications, primarily handling token validation, propagation, and authentication flows using OpenID Connect (OIDC). The adapter is designed for client-side web applications, enabling secure login and token management in browsers, with built-in support for Cordova mobile apps. Similarly, the adapter supports server-side JavaScript environments, allowing applications to validate tokens and propagate user identities across services. As of Keycloak 25.0.0, most traditional adapters (such as those for Servlet, JSF, and Undertow) have been removed, with the project recommending the use of standard OIDC libraries like or MicroProfile JWT for Java-based applications. No official .NET adapter is provided; instead, developers are advised to leverage .NET's built-in OIDC support via libraries such as .Identity.Web. For framework-specific integrations, Keycloak emphasizes and libraries tailored to popular stacks. In applications, integration occurs through Spring Security's OIDC resource server configuration, which handles token introspection and validation without requiring deprecated adapters. Client-side frameworks like Angular and React utilize the JavaScript adapter via packages (e.g., keycloak-js), providing hooks for state management, token refresh, and logout propagation. These adapters ensure seamless security for single-page applications (SPAs) by abstracting OIDC flows, such as authorization code with PKCE, while supporting non-Java stacks through lightweight that minimizes . Keycloak's extensibility is achieved through Service Provider Interfaces (SPIs), which allow developers to implement custom providers for various components, including authentication mechanisms, credential handlers, and protocol mappers. Themes can be customized to alter the user interface for , account management, and admin consoles, using FreeMarker templates, CSS, and , with tools like the Quick Theme utility simplifying the process. Event listeners enable hooking into system events (e.g., success or admin actions) for auditing, notifications, or integration with external systems, configurable via the admin console or SPI implementations. Additionally, JavaScript-based policies support fine-grained authorization by allowing custom logic in policy enforcers, executed server-side for evaluating access decisions. In the broader ecosystem, Keycloak integrates with service meshes like Istio and Envoy by leveraging JWT authentication filters in Envoy sidecars, which validate Keycloak-issued tokens without needing application-level adapters, enhancing security in architectures. As of Keycloak 26.x releases in 2025, compatibility with these tools remains supported through standard OIDC and JWT propagation, though no native adapter is provided; services can secure tokens using general OIDC clients.

References

  1. https://www.keycloak.org/
  2. https://www.keycloak.org/docs/latest/server_admin/index.html
  3. https://github.com/keycloak/keycloak
  4. https://www.keycloak.org/downloads.html
  5. https://github.com/keycloak/keycloak/blob/main/LICENSE.txt
  6. https://developers.redhat.com/articles/2024/04/23/migrate-sso-red-hat-build-keycloak
  7. https://www.keycloak.org/2023/05/maintainer-sschu
  8. https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/keycloakcon/
  9. https://access.redhat.com/products/red-hat-build-of-keycloak
  10. https://www.keycloak.org/2021/10/takashi.adoc
  11. https://www.cncf.io/blog/2023/04/11/keycloak-joins-cncf-as-an-incubating-project/
  12. https://www.cncf.io/projects/keycloak/
  13. https://bill.burkecentral.com/2013/12/03/new-keycloak-project-sso-for-browser-social-and-rest-services/
  14. https://github.com/keycloak/keycloak/releases
  15. https://www.keycloak.org/2023/07/keycloak-2200-released
  16. https://www.keycloak.org/2024/10/keycloak-2600-released
  17. https://www.keycloak.org/2025/09/keycloak-2640-released
  18. https://www.keycloak.org/docs/latest/server_admin/index.html#_the-master-realm
  19. https://www.keycloak.org/docs/latest/server_admin/index.html#_configuring-realms
  20. https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-a-realm_server_administration_guide
  21. https://www.keycloak.org/docs/latest/server_admin/index.html#_using-the-admin-console
  22. https://www.keycloak.org/server/importExport
  23. https://www.keycloak.org/docs/latest/server_admin/index.html#_admin_console
  24. https://www.keycloak.org/docs/latest/server_admin/index.html#_administering_users
  25. https://www.keycloak.org/docs/latest/server_admin/index.html#_account_console
  26. https://www.keycloak.org/docs/latest/server_admin/index.html#_account-service
  27. https://www.keycloak.org/docs/latest/server_admin/index.html#_tokens
  28. https://www.keycloak.org/docs/latest/server_admin/index.html#_token_exchange
  29. https://www.keycloak.org/docs/latest/server_admin/index.html#_events
  30. https://www.keycloak.org/docs/latest/server_development/index.html#_providers
  31. https://www.keycloak.org/docs/latest/server_admin/index.html#_database
  32. https://www.keycloak.org/docs/latest/server_admin/index.html#_database_configuration
  33. https://www.keycloak.org/getting-started/getting-started-zip
  34. https://www.keycloak.org/getting-started/getting-started-docker
  35. https://www.keycloak.org/getting-started/getting-started-kube
  36. https://www.keycloak.org/migration/migrating-to-quarkus
  37. https://www.keycloak.org/server/enabletls
  38. https://www.keycloak.org/server/hostname
  39. https://www.keycloak.org/server/db
  40. https://www.keycloak.org/server/caching
  41. https://www.keycloak.org/getting-started/getting-started-scaling-and-tuning
  42. https://www.keycloak.org/observability/configuration-metrics
  43. https://www.keycloak.org/docs/latest/upgrading/index.html
  44. https://www.keycloak.org/operator/rolling-updates
  45. https://www.keycloak.org/docs/latest/server_admin/index.html#_authentication-flows
  46. https://www.keycloak.org/docs/latest/server_admin/index.html#_features
  47. https://www.keycloak.org/docs/latest/server_admin/index.html#_proc_creating-otp_server_administration_guide
  48. https://www.keycloak.org/docs/latest/server_development/index.html#_custom-authentication-mechanisms
  49. https://www.keycloak.org/2025/07/keycloak-2630-released
  50. https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview
  51. https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview
  52. https://www.keycloak.org/docs/latest/server_admin/index.html#_sessions
  53. https://www.keycloak.org/docs/latest/server_admin/index.html#_administering-sessions
  54. https://www.keycloak.org/docs/latest/server_admin/index.html#_brute_force
  55. https://www.keycloak.org/docs/latest/release_notes/index.html
  56. https://www.keycloak.org/docs/latest/server_admin/index.html#_mfa
  57. https://www.keycloak.org/docs/latest/server_admin/index.html#_step-up-flow
  58. https://www.keycloak.org/docs/latest/server_admin/index.html#_recovery-codes
  59. https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_brokering
  60. https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_oauth
  61. https://www.keycloak.org/docs/latest/server_admin/index.html#_first_broker_login
  62. https://www.keycloak.org/docs/latest/server_admin/index.html#_mapper_types
  63. https://www.keycloak.org/docs/latest/server_admin/index.html#_user_federation
  64. https://www.keycloak.org/docs/latest/server_admin/index.html#_ldap
  65. https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos
  66. https://www.keycloak.org/securing-apps/specifications
  67. https://www.keycloak.org/securing-apps/oidc-layers
  68. https://www.keycloak.org/securing-apps/javascript-adapter
  69. https://www.keycloak.org/securing-apps/nodejs-adapter
  70. https://www.keycloak.org/2024/06/keycloak-2500-released
  71. https://www.keycloak.org/docs/latest/server_development/index.html
  72. https://www.keycloak.org/ui-customization/themes
  73. https://www.keycloak.org/docs/latest/authorization_services/index.html
  74. https://www.keycloak.org/2018/02/keycloak-and-istio
Add your contribution
Related Hubs
User Avatar
No comments yet.