Fact-checked by Grok 2 weeks ago

Keycloak

Keycloak is an open-source (IAM) solution that provides (SSO), , , and user federation capabilities for modern applications and services. Developed to simplify security integration, it enables developers to secure web and mobile applications without building custom user management systems, supporting standards such as Connect, 2.0, and SAML 2.0. Originally initiated as a associated with JBoss technologies, Keycloak has evolved into a widely adopted tool maintained by an active open-source community under the (CNCF) umbrella. At its core, Keycloak operates as a standalone server that handles user authentication and issues secure tokens containing identity and permissions data, allowing applications to verify access without storing sensitive user information. Key features include identity brokering for integrating with social networks or existing identity providers, user federation with LDAP or Active Directory, fine-grained authorization services, and customizable user interfaces for login, registration, and account management. It supports high availability through clustering, theming for branding, and extensibility via service provider interfaces (SPIs) for custom functionality. Keycloak's architecture revolves around realms, isolated spaces for managing users, clients, and roles, which facilitates multi-tenancy and secure across different applications or organizations. The solution includes an administrative console for central configuration of realms, users, and policies, as well as an account console where users can manage their profiles, sessions, and two-factor authentication setups. Deployable via containers like or on platforms such as , it emphasizes performance and scalability for enterprise environments.

Overview

Introduction

Keycloak is an open-source (IAM) solution designed to add and to applications and services with minimal . Its primary purpose is to enable (SSO), centralized user management, and secure , allowing applications to delegate identity handling rather than implementing it internally. This approach reduces the complexity of security implementation for developers, providing ready-to-use features such as customizable interfaces, user registration, and account management. Keycloak targets modern use cases including web applications, RESTful web services, architectures, and cloud-native environments, where scalable and integrated identity solutions are essential. It supports seamless integration with existing identity providers like LDAP, , and social platforms such as and , facilitating user federation and . Key benefits include accelerated development by offloading security concerns, enhanced scalability for distributed systems, and support for standards like OpenID Connect and OAuth 2.0 to ensure interoperability. By centralizing and , it promotes secure, efficient management across diverse ecosystems.

Licensing and Development

Keycloak is distributed under the 2.0, a permissive that allows users to freely use, modify, and distribute the software for any purpose, provided that copyright notices and the license terms are preserved in all copies or substantial portions of the software. This licensing model encourages widespread adoption while ensuring compatibility with both open-source and proprietary projects. The development of Keycloak is primarily maintained by , which sponsors the project as part of its JBoss community initiatives, with core contributions and oversight provided by a dedicated team of maintainers. Contributions from the broader developer community are welcomed and integrated through pull requests on the project's repository, following a contributor guide that emphasizes code quality, testing, and adherence to the Developer Certificate of Origin. This collaborative model has fostered steady evolution, with maintainers reviewing and merging enhancements that align with the project's . The Keycloak community comprises developers and organizations worldwide who actively participate via discussion forums, issue trackers, and annual events such as KeycloakCon—a half-day conference co-located with KubeCon—and Keycloak DevDay, which feature technical talks, workshops, and networking opportunities. bolsters this ecosystem with enterprise-grade support through its build of Keycloak, a downstream offering long-term stability, security updates, and certified integrations for production environments. is handled by the maintainers, who prioritize features, manage releases, and ensure alignment with community needs. In April 2023, Keycloak joined the (CNCF) as an incubating project, and remains an incubating project as of November 2025, promoting its adoption in cloud-native architectures through alignment with , OpenTelemetry, and other CNCF standards for scalable, resilient .

History

Origins and Early Development

Keycloak originated in 2013 as an open-source project initiated by developers within the JBoss community at , aimed at filling gaps in available (SSO) solutions tailored for Java-based applications and services. The project was co-led by Bill Burke and Stian Thorgersen, with contributions from a core team including Gabriel Cardoso, Viliam Rockai, Bolesław Piech, and Alexandre Mendonça, all affiliated with Red Hat's JBoss division. The primary motivations for Keycloak's creation were to provide a lightweight, standards-compliant alternative to proprietary (IAM) tools, emphasizing ease of integration for browser applications, RESTful services, and social authentication providers. Drawing inspiration from the existing PicketLink project—particularly its capabilities—the developers sought to extend beyond PicketLink's primary focus on SAML to incorporate broader support for protocols like OAuth 2.0, while leveraging PicketLink components where appropriate. This approach addressed the need for centralized user authentication, , and management in modern web and mobile ecosystems without relying on . Early development commenced with prototyping in July 2013, building on prior work from the RESTEasy project's module and a social broker service. The first alpha release followed in December 2013, prioritizing OAuth 2.0 bearer token support, social login integrations (such as and ), user self-registration, and an administrative console. Keycloak achieved production readiness with its inaugural stable release, version 1.0, on September 18, 2014, which stabilized database schemas, enhanced performance, and refined interfaces (SPIs) to enable reliable basic SSO deployments. This milestone marked the project's maturation from experimental code to a deployable solution compatible with JBoss AS7, EAP 6.x, and servers.

Major Releases and Milestones

Keycloak's development has seen steady evolution through major version releases, each introducing significant enhancements to its capabilities. The project began with its first production release in September 2014, but major milestones from 2015 onward marked key advancements in protocol support, runtime improvements, and enterprise integrations. The first major version, 2.0.0, released in February 2015, introduced enhanced support for , enabling broader federation with legacy systems alongside its core OpenID Connect and OAuth 2.0 features. In 2016, integrated Keycloak as the upstream project for Red Hat Single Sign-On (RH-SSO) 7.0, providing enterprise support and aligning community development with commercial offerings for improved stability and security patching. Version 10.0.0, released in April 2020, brought the new account management console, allowing users to self-manage profiles, sessions, and applications through a modern, customizable interface. A pivotal shift occurred with version 15.0.0 in July 2021, which previewed a Quarkus-based distribution to replace the legacy runtime, delivering substantial performance gains, faster startup times, and better resource efficiency for containerized deployments. By 2020, Keycloak had achieved widespread adoption, powering authentication in major ecosystems via integrations like oauth2-proxy and native operators, as well as cloud platforms such as AWS and for SSO services. In July 2023, version 22.0.0 completed the migration to from Java EE, updating the codebase to support modern enterprise Java standards and ensuring compatibility with 3.x for enhanced modularity. In April 2023, Keycloak was accepted into the (CNCF) as an incubating project. The 26.x series, starting with 26.0.0 in October 2024, focused on compliance and emerging standards, including experimental support for for Verifiable Credential Issuance (OID4VCI), enabling credential issuance flows for decentralized identity use cases. As of November 2025, releases like 26.4.0 in September 2025 emphasized high-availability clustering improvements, such as optimized multi-site architectures with persistent user sessions by default, full compliance with FAPI 2.0 Security Profile and Message Signing, and official support for Demonstrating Proof-of-Possession (DPoP) to support large-scale deployments.
VersionRelease DateKey Milestones
2.0.0February 2015 federation support
RH-SSO 7.0June 2016 (aligned with Keycloak 1.9) enterprise integration
10.0.0April 2020Account management console introduction
15.0.0July 2021 runtime preview for performance
22.0.0July 2023 migration
CNCF IncubatingApril 2023Acceptance into CNCF
26.0.0October 2024OID4VCI experimental
26.4.0September 2025FAPI 2.0 compliance, clustering enhancements, DPoP support

Core Concepts

Realms and Isolation

In Keycloak, a serves as the foundational logical boundary, encapsulating a set of users, clients (applications), roles, groups, and policies within a single that functions similarly to a in multi-tenant architectures. This structure ensures that resources and configurations within one realm remain segregated from others, preventing unauthorized access or data leakage across boundaries and thereby enhancing in shared deployments. Users authenticate and log into a specific realm, which manages their credentials and associated entities exclusively. Each supports independent configuration options, including flows, login themes, email settings, SSL modes, and providers, allowing administrators to tailor behaviors without affecting other realms. The master , a default administrative created upon initial setup, is reserved exclusively for managing realms and performing system-wide administrative tasks, such as creating new realms or configuring global settings; it does not handle end-user . This separation promotes multi-tenancy by enabling a single Keycloak instance to support distinct environments, such as development versus production, or isolated customer partitions, where data and policies for one tenant (e.g., an enterprise's internal users) do not intersect with another (e.g., external partners). Realm management occurs primarily through the Keycloak Admin Console, where administrators can create new via a simple form-based interface, specifying a unique name and initial settings. For migration or replication purposes, realms can be exported as files—either individually from the Admin Console or in bulk via command-line tools like the Keycloak CLI—capturing the full configuration including users, clients, roles, and policies; these files can then be imported into another instance, though exports from the console are not recommended for production backups due to potential inconsistencies during large-scale operations. Within a , clients and users interact as core entities, with clients representing applications that request and users being the authenticated principals assigned roles for .

Clients, Users, and Roles

In Keycloak, clients represent applications or services that register with a to leverage its and capabilities. These entities are configured with essential attributes such as a unique client ID, a human-readable name, and an access type—typically confidential for server-side applications requiring client secrets, public for browser-based or mobile apps without secrets, or bearer-only for services that do not initiate but validate . Additional configurations include valid redirect URIs to prevent open redirect attacks, protocol selection (e.g., OpenID Connect or SAML), and token settings like lifespans. Clients can also define their own scopes, which bundle permissions or claims to request during flows. Users in Keycloak are individual s managed within a specific , serving as the primary entities that authenticate and access protected resources. Key attributes include a unique username, , first name, last name, and credentials such as s or one-time s (OTP) for . Users support self-registration if enabled in settings, and their s can be customized via attribute schemas that define required fields, validations (e.g., format), and permissions for viewing or editing attributes in contexts like registration or the console. Session tracks active sessions, with features like consent screens allowing s to approve client access to their data before issuance. Required actions, such as resets or , can be enforced per or as defaults during . Roles in Keycloak provide a mechanism for (RBAC), categorizing permissions that dictate what users or clients can do within a . There are three main types: roles, which apply globally across the (e.g., "admin" for broad administrative privileges); client roles, which are namespaced to a specific client for granular control (e.g., "editor" within a particular application); and composite roles, which inherit permissions from other roles to simplify management (e.g., a "manager" composite including both "viewer" and "editor" roles). Roles include basic attributes like name and description, and they can be assigned directly to users or inherited via group membership. Client-specific roles are managed under each client's settings in the admin console, ensuring isolation from other clients. The interplay among clients, users, and enables fine-grained within a , which acts as the isolation boundary for these entities. Users are assigned through the in their , granting them permissions that are evaluated during ; for instance, a user with the "admin" might administrative endpoints across multiple clients. Clients request specific scopes during issuance, which map to —only users possessing the corresponding receive tokens with the approved scopes, enforcing at the application level. This relationship supports mechanisms, where users explicitly approve , and accounts on clients can impersonate for machine-to-machine interactions without user involvement. Composite streamline assignments by propagating permissions hierarchically, reducing administrative overhead while maintaining .

Architecture

Server Components

The Keycloak server features a web-based Admin Console that serves as the primary interface for administrators to manage realms, configure users and roles, and audit events. Accessible typically at http://[localhost](/page/Localhost):8080/admin/ after logging in with administrative credentials, it provides tools for creating and isolating realms, assigning roles to users and clients, and viewing event logs for activities such as logins, logouts, and administrative changes. The console supports customization through themes and includes sections for user management, such as required actions like password resets, and session monitoring to ensure secure oversight of the identity provider's operations. Complementing the Admin Console is the Account Management Console, a user-facing designed for tasks that empowers end-users to manage their own without administrative intervention. Users access it via a realm-specific , such as http://localhost:8080/realms/{realm-name}/account, where they can update personal profiles, reset passwords, configure two-factor like OTP, view active sessions, and manage linked providers or federated . Features like account deletion and credential can be enabled or restricted by administrators through settings, ensuring compliance with organizational policies while promoting user autonomy. At the backend, Keycloak includes essential services such as the token endpoint, which handles 2.0 and OpenID Connect flows by issuing access , ID , and refresh upon successful . This endpoint, located at /realms/{realm}/protocol/openid-connect/token, supports grant types like authorization code, client credentials, and resource owner password credentials, allowing clients to securely obtain for access or user sessions with configurable expiration times, such as the default of five minutes for access . Event listeners provide and auditing capabilities by capturing and processing events such as user registrations, logins, and admin actions, which can be stored in the database or forwarded to external systems for compliance and security monitoring; predefined listeners like jboss-logging output to server logs, while custom ones can be developed for specialized needs. The Service Provider Interface () enables extensibility by allowing developers to implement custom providers for , themes, or user storage, deployed as files in the providers/ directory followed by a server build command like bin/kc.sh build. For storage, Keycloak defaults to an Infinispan cache to manage user sessions, tokens, and transient data efficiently in memory, optimizing performance for high-traffic scenarios while supporting clustering for distributed s. It also accommodates external relational databases like for persistent storage of realms, users, and events, configured via properties such as db=postgres, db-url, db-username, and db-password in keycloak.conf or environment variables, with JDBC drivers required for to ensure data durability beyond in-memory caching. This hybrid approach balances speed with reliability, allowing administrators to switch storage backends without altering core server logic.

Deployment and Scalability

Keycloak supports multiple deployment modes to accommodate various environments, from simple setups to complex, containerized infrastructures. The standalone distribution allows deployment on physical or virtual servers using , where administrators download and run the JAR file directly for quick prototyping or small-scale use. For containerized environments, Keycloak provides official images optimized for production, enabling easy integration with orchestration tools and pipelines. In clusters, the Keycloak Operator facilitates automated deployment, scaling, and management, handling tasks like custom resource definitions for realms and configurations. Since version 17, Keycloak has transitioned to a Quarkus-based distribution, supporting native compilation for reduced and faster startup times, which enhances performance in resource-constrained settings. For production environments, Keycloak requires specific configurations to ensure security, reliability, and performance. enforcement is mandatory, achieved by configuring TLS certificates and enabling strict transport security via the kc https-certificate options or integration. configuration sets the public-facing for endpoints, with best practices recommending separate hostnames or paths for administrative interfaces to isolate them from user-facing services. Database tuning involves selecting a robust like , optimizing connection pools, and enabling features such as prepared statements to handle high query loads. Caching is configured using the embedded Infinispan for local sessions or external stores like for distributed persistence, reducing database strain in multi-node setups. Scalability in Keycloak is achieved through clustering and horizontal expansion to manage high traffic and ensure high availability. Clustering relies on JGroups for node discovery and communication, integrated with Infinispan for distributed caching of sessions, realms, and authentication data across nodes. Horizontal scaling involves deploying multiple instances behind a load balancer, where throughput scales linearly until bottlenecks in the database or cache occur; Kubernetes deployments can use Horizontal Pod Autoscalers to dynamically adjust replicas based on CPU or custom metrics. Metrics export to Prometheus is built-in, allowing monitoring of key indicators like request latency, error rates, and cache hit ratios to inform scaling decisions. As of 2025, best practices for Keycloak deployments emphasize dual-stack support, which is enabled by default for broader network compatibility without additional configuration. Zero-downtime upgrades are recommended using rolling updates via the , ensuring seamless transitions between patch releases by maintaining active nodes during the process.

Features

Authentication Mechanisms

Keycloak provides a flexible for , enabling secure verification of users and clients through configurable flows that integrate various mechanisms. These flows orchestrate a sequence of authenticators, forms, and actions during processes like , registration, and , ensuring of credentials from applications while issuing signed for . Built-in flows can be customized to meet specific requirements, supporting both standard and advanced scenarios without external dependencies. The primary authentication flows include the browser-based flow, direct grant flow, and client credentials flow. In the browser-based flow, users are redirected to the Keycloak login page to enter credentials, facilitating (SSO) and protecting against by keeping authentication isolated; this flow is triggered during Connect (OIDC) logins and supports re-authentication policies. The direct grant flow, also known as resource owner password credentials, allows trusted clients to obtain access tokens on behalf of users via calls using username and password, bypassing browser redirection for machine-to-machine or integrations. The client credentials flow enables service accounts for clients to acquire tokens using their client ID and secret, ideal for non-interactive scenarios where no user context is involved. These flows are highly customizable through the Admin Console, where administrators can add, remove, or reorder authenticators—such as username-password forms—and set execution requirements like "Required," "Alternative," or "Disabled" to tailor the authentication sequence. Authenticators extend these flows with specific verification methods, including (OTP) and . OTP supports time-based (TOTP) or counter-based (HOTP) codes generated by apps like or , configurable as a required second factor during setup via the Account Console or admin-initiated email resets. enables passwordless or biometric authentication using hardware tokens or device-bound keys, integrated as an optional or required step in flows for enhanced security against credential theft. As of version 26.3.0, passkeys are integrated into the default username forms for , enabled via the WebAuthn Passwordless Policy. Authorization in Keycloak builds on by enforcing fine-grained through policies tied to resources and scopes. Policies can leverage s for (RBAC), where permissions are granted based on user or client roles; groups for hierarchical membership checks, allowing inheritance of attributes and roles; JavaScript-based rules for complex logic evaluating context like time or location; or (ABAC) using user attributes, claims, or environmental factors. Resource-based permissions associate policies with specific resources (e.g., or files) and scopes (e.g., "read" or "write"), enabling precise enforcement such as allowing a "people-manager" to a "view-employee" on HR resources. These are managed via the Authorization Services, with policies evaluated during issuance or enforcement points in applications. Session management ensures secure handling of authenticated states with configurable parameters for longevity and integrity. Administrators can adjust session and lifetimes—such as validity (default 5 minutes for short-lived sessions) and SSO session idle timeouts—via settings to balance and . As of version 26.0.0, persistent sessions are enabled by default to store session data durably. is supported through "not-before" policies applied at the , client, or level, pushing invalidation to adapters for immediate nullification, while admins can sign out all active sessions to clear SSO . Brute-force detection monitors failed attempts, temporarily locking accounts after configurable thresholds (e.g., 5 failures in 5 minutes) and notifying via , with realm-wide enabling under the Detection tab. Advanced features like (MFA) and step-up authentication enhance protection for sensitive operations. MFA is implemented by chaining authenticators in flows, requiring OTP or after initial login, with setup prompted during first use or enforced as a required action for all users. Recovery codes, generated during OTP setup, provide a for 2FA authentication and are enforced for setup as of version 26.3.0. Step-up authentication mandates elevated assurance—such as re-authentication or additional factors—for high-risk actions like credential changes or account updates, configurable with maximum session ages (default 5 minutes) to prevent . These mechanisms integrate seamlessly with core concepts like user roles, ensuring policies align with authentication levels without redundant .

Identity Brokering and Federation

Keycloak supports identity brokering, which allows the server to act as an intermediary that delegates user authentication to external identity providers (IDPs) supporting OpenID Connect (OIDC) or SAML 2.0 protocols. Since version 26.3.0, Keycloak supports brokering with any OAuth 2.0 compliant authorization server. This enables seamless integration with third-party services, such as social networks, where users can authenticate using their existing accounts without creating new credentials in Keycloak. As of version 26.0.0, multiple instances of social brokers are allowed per realm. For instance, administrators can configure brokering with providers like Google, Facebook, or GitHub by adding an identity provider in the Admin Console, specifying details such as client IDs, secrets, and redirect URIs. During the authentication process, Keycloak redirects the user to the external for , receives an assertion or upon success, and then maps the received attributes—such as , first name, and last name—to a local Keycloak . If the user does not exist locally, Keycloak can automatically create a new account through just-in-time (JIT) provisioning, or prompt for account linking if an existing Keycloak user matches based on criteria like . This linking process ensures that users maintain a single across systems, with options to handle screens where users approve attribute sharing and account association. Custom mappers, configurable per , transform and filter incoming attributes to align with Keycloak's user model, supporting operations like hardcoding values, scripting transformations, or regex-based assignments from claims. In addition to brokering, Keycloak provides user federation to integrate with legacy user stores, synchronizing identities from external directories like LDAP, , or without requiring users to re-register. For LDAP or , administrators configure a federation provider in the Admin Console by entering connection URLs, bind credentials, and base DNs, enabling Keycloak to query and validate users against the external store. Synchronization can occur periodically (full or changed users) or on-demand during login, with support for importing users into Keycloak's local database or maintaining a federated mode where credentials remain external. integration complements this by allowing SPNEGO-based authentication, where Keycloak uses keytabs and service principal names to negotiate tickets seamlessly with environments. Configuration of both brokering and federation emphasizes flexibility through mappers and flows. Attribute mappers in user federation mirror those in brokering, extracting LDAP attributes (e.g., uid, sn) and mapping them to Keycloak fields, with options for UUID generation or custom logic. The first-broker flow, customizable via the Admin Console, governs initial interactions for brokered users, incorporating steps like email verification, duplicate detection, or review profiles before account creation. Edit modes for federated users—such as READ_ONLY (prevents local changes), WRITABLE (allows updates synced back), or UNSYNCED (local edits not propagated)—provide control over data consistency. These features collectively centralize (SSO) across disparate identity systems, reducing administrative overhead by leveraging existing user bases and minimizing . By handling , attribute transformation, and account linking, Keycloak ensures secure, user-friendly federation that complies with protocols like OIDC and SAML while supporting hybrid environments with legacy stores.

Integrations

Supported Protocols

Keycloak implements several open security protocols to enable secure authentication and authorization for applications and services, ensuring interoperability with diverse systems. These protocols include , OAuth 2.0, and , which form the core of its capabilities. Additionally, as of version 26.4 released in September 2025, Keycloak provides support for emerging standards such as Financial-grade API (FAPI) 2.0 and experimental features for . OpenID Connect (OIDC) is fully supported as a certified implementation since version 18.0.0, allowing Keycloak to act as an OIDC provider for securing web and mobile applications. It includes support for the OpenID Connect Discovery 1.0 specification, enabling clients to automatically retrieve endpoint information, and Dynamic Client Registration 1.0 for programmatic client setup. Key features encompass the authorization code flow with Proof Key for Code Exchange (PKCE) for public clients, the implicit flow for browser-based applications, and hybrid flows combining both. Tokens are issued as JSON Web Tokens (JWTs) compliant with RFC 7519, supporting introspection via the OAuth 2.0 Token Introspection endpoint for resource server validation. OAuth 2.0 integration in Keycloak provides robust resource server protection and client authentication, building on its role as an authorization server. It supports core grant types including authorization code, client credentials, and refresh tokens, supporting PKCE (Proof Key for Code Exchange) for enhanced security in authorization code flows—required for public clients—to mitigate authorization code injection attacks. Client authentication methods include client secret basic, private key JWT, and mutual TLS, ensuring secure token issuance and exchange. Resource servers can validate access tokens through or JWT verification, facilitating fine-grained without direct user involvement. SAML 2.0 enables Keycloak to operate in both Identity Provider (IdP) and Service Provider (SP) modes, supporting federation scenarios for legacy and enterprise integrations. As an IdP, Keycloak authenticates users and issues assertions in XML format, secured with digital signatures per the SAML 2.0 Core specification. In SP mode, it consumes assertions from external IdPs for single sign-on. Metadata exchange is fully implemented, allowing automatic configuration via XML descriptors published at dedicated endpoints, such as /realms/{realm}/protocol/saml/descriptor for IdP metadata. This supports browser-based SSO profiles like Web Browser SSO and includes bindings for POST and Redirect methods. For enhanced security in financial and high-risk environments, Keycloak version 26.4 introduces full compliance with FAPI 2.0 Security Profile and FAPI 2.0 Message Signing specifications from the Foundation. These profiles mandate stronger , such as mutual TLS or DPoP (Demonstrating Proof-of-Possession), and /JARM (JWT-Secured Request) for signing requests to prevent tampering. Additionally, experimental support for OID4VCI enables verifiable issuance using 2.0 and OIDC extensions, allowing Keycloak to act as a in decentralized scenarios, though full verification flows remain under development. This feature, introduced progressively since version 25, adapts authorization code flows for batch issuance and supports selective disclosure via SD-JWTs, but is not yet production-ready.

Application Adapters and Extensions

Keycloak provides official client adapters to facilitate the integration of into applications, primarily handling token validation, propagation, and authentication flows using OpenID Connect (OIDC). The adapter is designed for client-side web applications, enabling secure login and token management in browsers, with built-in support for mobile apps. Similarly, the adapter supports server-side JavaScript environments, allowing applications to validate tokens and propagate user identities across services. As of Keycloak 25.0.0, most traditional adapters (such as those for Servlet, JSF, and Undertow) have been removed, with the project recommending the use of standard OIDC libraries like or MicroProfile JWT for Java-based applications. No official .NET adapter is provided; instead, developers are advised to leverage .NET's built-in OIDC support via libraries such as .Identity.Web. For framework-specific integrations, Keycloak emphasizes and libraries tailored to popular stacks. In applications, integration occurs through Spring Security's OIDC resource server configuration, which handles token introspection and validation without requiring deprecated adapters. Client-side frameworks like and utilize the JavaScript adapter via packages (e.g., keycloak-js), providing hooks for state management, token refresh, and logout propagation. These adapters ensure seamless security for single-page applications (SPAs) by abstracting OIDC flows, such as authorization code with PKCE, while supporting non-Java stacks through lightweight that minimizes . Keycloak's extensibility is achieved through Service Provider Interfaces (SPIs), which allow developers to implement custom providers for various components, including mechanisms, credential handlers, and protocol mappers. Themes can be customized to alter the user interface for , account management, and admin consoles, using FreeMarker templates, CSS, and , with tools like the Quick Theme utility simplifying the process. Event listeners enable hooking into system events (e.g., success or admin actions) for auditing, notifications, or integration with external systems, configurable via the admin console or SPI implementations. Additionally, JavaScript-based policies support fine-grained by allowing custom logic in policy enforcers, executed server-side for evaluating access decisions. In the broader ecosystem, Keycloak integrates with service meshes like Istio and Envoy by leveraging JWT authentication filters in Envoy sidecars, which validate Keycloak-issued tokens without needing application-level adapters, enhancing security in architectures. As of Keycloak 26.x releases in 2025, compatibility with these tools remains supported through standard OIDC and JWT propagation, though no native adapter is provided; services can secure tokens using general OIDC clients.

References

  1. [1]
    Keycloak
    Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum ...Documentation 26.4.4DownloadsGuidesDockerCommunity
  2. [2]
    Server Administration Guide - Keycloak
    Keycloak provides customizable user interfaces for login, registration, administration, and account management. You can also use Keycloak as an integration ...Keycloak features and concepts · Configuring realms
  3. [3]
    keycloak/keycloak: Open Source Identity and Access Management ...
    Keycloak provides user federation, strong authentication, user management, fine-grained authorization, and more.
  4. [4]
    https://www.keycloak.org/downloads.html
  5. [5]
    keycloak/LICENSE.txt at main · keycloak/keycloak
    - **License Confirmation**: The content does not provide the full license text due to limited visible data from the GitHub page snippet.
  6. [6]
    How to install and migrate to Red Hat build of Keycloak
    May 23, 2024 · This article will guide you through how to migrate from Red Hat's single sign-on to Red Hat build of Keycloak, highlighting the benefits and considerations ...
  7. [7]
    New Keycloak maintainer: Sebastian Schuster
    May 2, 2023 · We are pleased to welcome Sebastian Schuster as an official maintainer of Keycloak. Sebastian has contributed to Keycloak since 2019.Missing: committee | Show results with:committee
  8. [8]
    KeycloakCon | LF Events
    KeycloakCon is a half-day single-track conference that brings together the Keycloak community. The event offers a platform for technical talks…Missing: DevCon | Show results with:DevCon
  9. [9]
    https://access.redhat.com/products/red-hat-build-of-keycloak
  10. [10]
    New Keycloak maintainer: Takashi Norimatsu
    Oct 18, 2021 · We are extremely pleased to welcome Takashi Norimatsu as an official maintainer of Keycloak. Takashi has contributed to Keycloak since 2017.Missing: steering committee
  11. [11]
    Keycloak joins CNCF as an incubating project
    Apr 11, 2023 · The CNCF Technical Oversight Committee (TOC) has voted to accept Keycloak as a CNCF incubating project. Keycloak is an Identity and Access ...Missing: steering | Show results with:steering
  12. [12]
    New Keycloak Project: SSO for Browser, Social, and REST Services
    Dec 3, 2013 · Deployable as a WAR, appliance, or an Openshift cloud service (SaaS). Supports JBoss AS7, EAP 6.x, and Wildfly applications. Plans to support ...
  13. [13]
    Keycloak - Wikipedia
    Keycloak is an open source software product to allow single sign-on with identity and access management aimed at modern applications and services.
  14. [14]
    Keycloak 22.0.0 released
    Jul 11, 2023 · Transition from Java EE to Jakarta EE. As part of upgrading to Quarkus 3.x Keycloak migrated its codebase from Java EE (Enterprise Edition) ...
  15. [15]
    Keycloak 26.0.0 released
    Oct 4, 2024 · Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:<|control11|><|separator|>
  16. [16]
    Keycloak 26.2.0 released
    Apr 11, 2025 · Keycloak 26.2.0 released. April 11 2025. To download the release go to Keycloak downloads. Highlights. Supported Standard Token Exchange. In ...
  17. [17]
    Keycloak 26.4.0 released
    Sep 30, 2025 · Keycloak 26.4.0 released. September 30 2025. To download the release go to Keycloak downloads. Highlights. This release features new ...Missing: earliest | Show results with:earliest
  18. [18]
    Release Notes - Keycloak
    The Keycloak server has now official support for client policies and Financial-grade API (FAPI). This capability was previewed in earlier versions, but now ...Keycloak 26.4.0 · Keycloak 26.3.0 · Keycloak 26.2.0 · Keycloak 26.1.0
  19. [19]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_configuring-realms
  20. [20]
    https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-a-realm_server_administration_guide
  21. [21]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_using-the-admin-console
  22. [22]
    https://www.keycloak.org/server/importExport
  23. [23]
    Importing and exporting realms - Keycloak
    In this guide, you are going to understand the different approaches for importing and exporting realms using JSON files.
  24. [24]
    Server Administration Guide
    Summary of each segment:
  25. [25]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_account_console
  26. [26]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_account-service
  27. [27]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_tokens
  28. [28]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_token_exchange
  29. [29]
    Server Administration Guide
    Summary of each segment:
  30. [30]
    https://www.keycloak.org/docs/latest/server_development/index.html#_providers
  31. [31]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_database
  32. [32]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_database_configuration
  33. [33]
    OpenJDK - Keycloak
    Download and extract keycloak-26.4.4.zip from the Keycloak website. After extracting this file, you should have a directory that is named keycloak-26.4.4 ...<|separator|>
  34. [34]
    https://www.keycloak.org/getting-started/getting-started-docker
  35. [35]
    https://www.keycloak.org/getting-started/getting-started-kube
  36. [36]
    Migrating to Quarkus distribution - Keycloak
    To migrate to the new Quarkus powered distribution the first step is to understand what configuration changes you are applying to the legacy distribution.Missing: 15 | Show results with:15
  37. [37]
    Configuring TLS - Keycloak
    In this guide, you will learn how to configure Keycloak to use HTTPS/TLS. Keycloak can be configured to load the required certificate infrastructure using files ...
  38. [38]
    https://www.keycloak.org/server/hostname
  39. [39]
    https://www.keycloak.org/server/db
  40. [40]
    Configuring distributed caches - Keycloak
    When you start Keycloak in production mode, by using the start command, caching is enabled and all Keycloak nodes in your network are discovered. By default, ...
  41. [41]
    Scaling - Keycloak
    Keycloak scaling involves vertical scaling by adjusting CPU/memory, and horizontal scaling by running multiple instances for higher availability. Horizontal ...Missing: JGroups Prometheus
  42. [42]
    Gaining insights with metrics - Keycloak
    Keycloak has built in support for metrics. This guide describes how to enable and configure server metrics.Missing: clustering JGroups horizontal scaling<|control11|><|separator|>
  43. [43]
    Upgrading Guide - Keycloak
    Oct 23, 2025 · This guide describes how to upgrade Keycloak. Use the following procedures in this order: Migration ChangesMissing: 2013 | Show results with:2013<|control11|><|separator|>
  44. [44]
    Avoiding downtime with rolling updates - Keycloak
    This guide describes how to minimize downtimes by configuring the Keycloak Operator to perform rolling updates of Keycloak automatically where possible.Missing: IPv6 | Show results with:IPv6
  45. [45]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_authentication-flows
  46. [46]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_features
  47. [47]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_proc_creating-otp_server_administration_guide
  48. [48]
    https://www.keycloak.org/docs/latest/server_development/index.html#_custom-authentication-mechanisms
  49. [49]
    https://www.keycloak.org/2025/07/keycloak-2630-released
  50. [50]
    https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview
  51. [51]
    Server Administration Guide
    Summary of each segment:
  52. [52]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_sessions
  53. [53]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_administering-sessions
  54. [54]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_brute_force
  55. [55]
    https://www.keycloak.org/docs/latest/release_notes/index.html
  56. [56]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_mfa
  57. [57]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_step-up-flow
  58. [58]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_recovery-codes
  59. [59]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_brokering
  60. [60]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_oauth
  61. [61]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_first_broker_login
  62. [62]
    Specifications implemented - Keycloak
    This guide presents a list of specifications and standards that Keycloak currently implements. The standards are separated in different sections and, ...
  63. [63]
    Securing applications and services with OpenID Connect - Keycloak
    Keycloak exposes a set of endpoints that applications and services can use to authenticate and authorize their users.
  64. [64]
    Keycloak JavaScript adapter
    Keycloak comes with a client-side JavaScript library called keycloak-js that can be used to secure web applications.
  65. [65]
    https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos
  66. [66]
    Keycloak 25.0.0 released
    Jun 10, 2024 · Keycloak 25.0.0 removes Account Console v2 theme, supports Java 21, removes most Java adapters, uses Argon2 for password hashing, and ...
  67. [67]
    Server Developer Guide - Keycloak
    Keycloak allows you to store tokens and responses from the authentication process with the external IDP. For that, you can use the Store Token configuration ...
  68. [68]
    https://www.keycloak.org/securing-apps/javascript-adapter
  69. [69]
    Authorization Services Guide - Keycloak
    Keycloak Authorization Services can help you improve the authorization capabilities of your applications and services.
  70. [70]
    Keycloak and Istio
    Feb 26, 2018 · Istio manages service mesh, potentially replacing Keycloak adapters. Istio's Envoy sidecar uses a JWT-Auth filter to verify Keycloak tokens.What Is Istio? · The Envoy Sidecar · Envoy FiltersMissing: gRPC | Show results with:gRPC<|control11|><|separator|>