KeyConf25

28 Aug 2025Amsterdam, Netherlands 9am - 6pm
Our annual conference dedicated to the Keycloak user community returns, with even more content and networking opportunities than last year. It’s the perfect place to interact, learn, share, and exchange insights and real-world use cases network with fellow experts, users, and contributors.
Get Tickets
150+
Attendees
2
Rooms
1
Panel
13
Talks

About KeyConf

The event is organised with support from the "Keycloak - OAuth2 Special Interest Group," which contributed to building OpenID FAPI standards into Keycloak. There is more standards-related work in progress, and it is a great opportunity to interact with the contributors and be part of such amazing contributions.

Why Join Us

  • Keynote speakers and networking opportunities.
  • In-person for a chance to learn from industry experts.
  • Connect with like-minded professionals.
  • Networking lunch.
  • Business drinks (Get in touch if you would like to sponsor).
Event Starts In:
Get Your Ticket Today
 Video and chat on a full page
 Video and chat on a full page

Speakers & MC

We are delighted to be able to present you with a high-quality speaker line-up consisting of leading Keycloak developers, maintainers & experts. As the Masters of Ceremony, Alexander Schwartz and Thomas Darimont will lead through the day.
Takashi Norimatsu
Takashi Norimatsu
Senior OSS Specialist
Hitachi, Ltd.
Read more →
Niko Köbler
Niko Köbler
Keycloak-Expert
Read more →
Marcel Meyer
Marcel Meyer
Technology Lead and Senior Solution Architect
adorsys
Read more →
Alexander Schwartz
Alexander Schwartz
Principal Software Engineer
IBM
Read more →
Sebastian Schuster
Sebastian Schuster
SRE Team Lead
Bosch Digital
Read more →
Thomas Darimont
Thomas Darimont
Digital Identity Consultant and Managing Director
Identity Tailor
Read more →
Martin Bartoš
Martin Bartoš
Senior Software Engineer
IBM
Read more →
Joseph Garrone
Joseph Garrone
Lead Developer
Insee
Read more →
Maik Kingma
Maik Kingma
Senior Software Craftsman
the/experts
Read more →
Max Maaß
Max Maaß
Senior Software Craftsman
iteratec
Read more →
Tim Walter
Tim Walter
IT Security Architect
iteratec
Read more →
Konstantinos Georgilakis
Konstantinos Georgilakis
GRNET (Greek Research & Technology Network)
Read more →
Pritish Joshi
Pritish Joshi
Technical Architect
Banfico
Read more →
Simon Vacek
Simon Vacek
Associate Software Quality Engineer
IBM
Read more →
Sven-Torben Janus
Sven-Torben Janus
Principal Software Architect and Partner
Conciso
Read more →
Jérémy Chapeau
Jérémy Chapeau
Cybersecurity Expert
Read more →
Stephan Kraft
Stephan Kraft
Community Advocate - OpenShift & Application Services
Red Hat
Read more →
Vishwang Dave
Vishwang Dave
adorsys
Read more →
Get Tickets

Schedule

9:00 - 9:50

Registration & Welcome Coffee

9:50 - 10:00

Opening remarks and welcome from organisers

10:00 - 10:15

Keycloak OAuth Special Interest Group community message

10:15 - 10:45

MFA, passwordless authentication and the lost phone

Conference Room 1
Niko Köbler
Keycloak has recently expanded the default multi-factor authentication (MFA) options with supported Recovery Codes, which you can use if you don’t have access to your OTP device (e.g. your phone) and WebAuthN. The latest release also improved the user experience dramatically for passwordless authentication using Passkeys.

In my talk, I will explain how to use MFA correctly, what it is and what it is not. Afterwards, I’ll show hands-on how to configure Keycloak for proper MFA usage and how you also can use passwordless authentication using Passkeys in parallel to traditional authentication with username, password and MFA.

10:45 - 11:15

AI Meets Identity: Managing Keycloak with Natural Language via MCP

Conference Room 1
Marcel Meyer, adorsys, Vishwang Dave, adorsys
Imagine talking to your IAM system—and it actually understands you. In this talk, I’ll introduce the Keycloak MCP Server & Client, a modular control plane that allows you to manage realms, users, groups, clients, roles, and security policies in Keycloak using a semantic interface—including natural language input.We’ll walk through how the system works with a custom MCP Client as well as Claude (Anthropic) as an AI client, subscribing to Keycloak’s event system, querying security rules, and performing complex tasks like: “Create user XXXX—if this doesn’t violate our security policies.”

The session includes:

  • a brief intro to the MCP concept,
  • introduction of the Keycloak MCP Server and Client,
  • a live showcase of real-world use cases,
  • and an outlook on how AI-powered identity management opens up smarter, more secure, and more intuitive workflows.

11:15 - 11:30

Coffee Break

11:30 - 12:00

Observability in Keycloak: Where Does It Hurt?

Conference Room 1
Martin Bartoš, IBM
Keycloak plays a critical role in securing applications and platforms, making its reliability and performance vital in production environments. To ensure smooth operation and fast incident resolution, you need to understand how Keycloak behaves - before things go wrong. Logs, metrics, and traces form the three pillars of observability, all of which are supported in Keycloak. They are backed by troubleshooting and sizing guides, as well as ready-to-use Grafana dashboards that help operators gain deeper insights. In this talk, we'll give a practical overview of Keycloak's observability features, including recent improvements and integrations. We'll walk through a live demo showing how you can correlate metrics with traces to diagnose latency spikes and uncover the root cause of SLO violations. Whether you're operating Keycloak at scale or just getting started, this session will provide the tools and knowledge to monitor, troubleshoot, and optimize your deployment.

IAM Doomsday Prepper: Surviving the Apocalypse with Keycloak

Conference Room 2
Maik Kingma, the/experts
In the ever-evolving landscape of Identity and Access Management (IAM), it's crucial for organizations to stay prepared and adaptable. While Keycloak has become a popular open-source IAM solution, many projects still rely on UI-based configurations or JSON imports, leaving them vulnerable to human error, scalability issues, and time-consuming maintenance.

This talk will introduce attendees to the concept of configuration as code in Keycloak, focusing on the Keycloak Java Admin Client as a powerful tool for future-proofing IAM systems. By embracing configuration as code, organizations can increase security, reduce errors, and streamline the management of their IAM infrastructure.

Key Takeaways:

  • Understand the limitations of UI-based configurations and JSON imports in Keycloak, and why they can be a recipe for disaster.
  • Learn how the principles of configuration as code can be applied to Keycloak using the Java Admin Client for enhanced IAM management.
  • Discover best practices for implementing configuration as code in Keycloak, including version control, collaboration, and automated testing.
  • Gain insights into real-world examples of successful configuration as code implementations in Keycloak, and the benefits they've brought to organizations.

By the end of this talk, attendees will be armed with the knowledge and tools needed to transform their Keycloak projects from ticking time bombs to robust, resilient, and easily maintainable IAM solutions, ensuring they're prepared for any challenges that lie ahead.

12:00 - 12:30

Protectors of the Realm: Breaking and Fixing Keycloak Configurations

Conference Room 1
Max Maaß, iteratec, Tim Walter, iteratec
As Keycloak practitioners, we often focus on implementing features rather than continuously evaluating our security posture. After being responsible for the security of a Keycloak instance in a large-scale project for nearly three years, we've encountered several configuration vulnerabilities that can easily slip through even experienced teams.

In this talk, we'll go beyond the basics to explore common security pitfalls in Keycloak deployments that we've encountered during our journey. More importantly, we'll introduce our open source tool, kcwarden, which we developed to automate security auditing of Keycloak configurations. This tool not only detects standard security issues but can be customized to identify organization-specific concerns such as problematic role assignments or policy violations, enabling continuous monitoring of your Keycloak environment.

Join us to discover how kcwarden can enhance your existing Keycloak deployment's security posture and learn practical strategies for implementing automated configuration checks into your operational workflows."

The Event Sorcerer with the Keycloak: The Battle against Dynamic Configuration

Conference Room 2
Maik Kingma, the/experts
In the evolving realm of Identity and Access Management (IAM), only the most skilled (event) sorcerers can harness the true power of "the Keycloak".

Discover how to extend static configurations with sets of dynamic event driven configuration, making your IAM projects resilient against change and highly adaptable. Learn the secrets of coding, versioning, and replaying configurations, ensuring your Keycloak setup is robust, future-proof and, most of all, dynamic.

Join Maik Kingma for a session that blends technical mastery with the lore of IAM, equipping you with the knowledge to wield dynamic configuration like a true sorcerer. By the end, your Keycloak projects will be fortified, ready to face any IAM challenge ahead."

12:30 - 14:00

Lunch break

Let's have some delicious food together and network.

14:00 - 14:30

Keycloak meets AI: the possibility of integrating Keycloak with AI

Conference Room 1
Takashi Norimatsu, Hitachi, Ltd.
In this talk, Takashi investigates the possibility of integrating Keycloak with AI agents.

In the field of AI agents, Model Context Protocol (MCP) becomes a hot topic, which makes it easy for an AI agent/tool to connect internal/external services.

When an AI agent/tool implementing an MCP client accesses a remote external service implementing an MCP server, end user authentication and authorization is sometimes required. According to the MCP specification, OAuth 2.1 needs to be used for that, which implies that there is the possibility of using Keycloak for end user authentication and authorization because Keycloak supported OAuth 2.1.

Firstly, Takashi talks about MCP briefly and describes end user authentication and authorization of MCP in more detail. After that, the speaker shows the possible system configuration that includes Keycloak as a part of the MCP server.

Introducing oidc-spa: A keycloak-js alternative that works with any OIDC provider

Conference Room 2
Joseph Garrone, Insee
Integrating Keycloak into modern web applications can be challenging, especially for developers used to the polished SDKs and smooth DX of SaaS platforms like Auth0 or Clerk. oidc-spa is an open-source attempt to close that gap, offering a streamlined developer experience inspired by those platforms, while preserving the flexibility of open standards. Beyond improving DX, `oidc-spa` promotes portability: apps built with it aren’t tied to Keycloak. They can run against Microsoft Entra ID, Auth0, or any other OIDC provider that supports the Authorization Code Flow with PKCE, which includes nearly all of them. This is critical in environments where identity infrastructure varies across deployments.

14:30 - 15:00

Enjoy Writing Tests with the new Keycloak Test Framework

Conference Room 1
Simon Vacek, IBM
Dreading adding new features because of the Arquillian testsuite? In this session, we'll introduce you to the brand new Keycloak Test Framework, designed to make testing a breeze for contributors and extension developers.

Why change from Arquillian? What are the new framework's key features? How does it all work, and where do I start? All of these questions and more will be answered in this session. By the end, you'll have a clear understanding of how to leverage the Keycloak Test Framework to write more effective tests, save time, and improve the overall quality and maintainability.

Token Exchange - Keycloak's Secret Weapon for Platforms

Conference Room 2
Sven-Torben Janus, Conciso
As platform developers, we're constantly challenged to build systems that are secure, scalable, and ready for anything. But how do you maintain robust security without sacrificing flexibility? Enter OAuth 2.0 Token Exchange in Keycloak - a powerful tool that's transforming the way we manage identity and access across complex architectures. In this session, we'll explore how to use Keycloak's token exchange capabilities to tackle the toughest problems in platform development: securing microservice communications, handling dynamic authorization across distributed systems, and enabling seamless Single Sign-On across multiple domains. We'll dive deep into real-world use cases, share expert tips on configuring Keycloak for advanced token exchange scenarios, and reveal how you can leverage these capabilities to build platforms that are not just secure, but also agile and responsive to change. Whether you're building cloud-native apps, orchestrating microservices, or securing APIs, this talk will provide the practical knowledge you need to harness the full power of OAuth 2.0 Token Exchange with Keycloak. Don't miss your chance to redefine your platform's identity strategy and keep your systems ahead of the curve!

15:00 - 15:15

Coffee Break

15:15 - 15:45

Keycloak & OpenID Federation: Empowering Dynamic Trust in Federated Environments

Conference Room 1
Konstantinos Georgilakis, GRNET (Greek Research & Technology Network)
This session will explore our journey to integrate OpenID Federation support into Keycloak to enable participation in an identity federation of entities using OpenID Connect and OAuth 2.0. OpenID Federation offers a robust framework for establishing dynamic trust between OpenID Providers (OPs) and Relying Parties (RPs), significantly simplifying the management of large-scale identity federations. By leveraging this specification, Keycloak will enable the dynamic establishment of trust between OPs and RPs, facilitate secure interactions authenticated via Trust Anchors, and crucially, eliminate the need for cumbersome manual or bilateral trust agreements. We'll demonstrate our progress in implementing OpenID Federation support for Keycloak and outline our ongoing plan to integrate this essential functionality into Keycloak's core through collaborative efforts and pull requests with the Keycloak team and the Keycloak OAuth SIG group.

As a foundational step, we aim to enable Keycloak to seamlessly support both explicit and automatic client registration under OpenID Federation, acting as both an OP and an RP within the identity federation using OpenID Connect and OAuth 2.0. We'll show how to enable and configure OpenID Federation on a per-realm basis through the admin console using mandatory and optional realm settings. Our presentation will delve into the REST API and code implementation, with a particular focus on the explicit registration process. We'll also engage in a discussion about outstanding issues, open technical challenges, and future considerations, including the implementation of other OpenID Federation components.

A key use case for this development is the EOSC Beyond project, where Keycloak-powered identity and access management services will participate in the European Open Science Cloud identity federation, leveraging the OpenID Federation specification. This will greatly simplify integration and enhance scalability across the EOSC ecosystem by enabling secure, interoperable access to resources. To bring it all to life, we'll offer a practical demonstration showcasing OpenID Federation in the project context.

Graph-Driven Audits for Keycloak: A Deep Dive with Cartography

Conference Room 2
Jérémy Chapeau
Managing identities and access control is critical but how well do you really know your Keycloak setup? In this talk, we'll explore how to audit and visualize Keycloak using Cartography, a graph-based security tool developed by the CNCF community. You'll learn how to extract identity and access data from Keycloak, model it as a graph, and uncover hidden risks, misconfigurations, and opportunities to strengthen your security posture. Through practical examples and live demos, we'll deep dive into how graph analysis can reveal relationships and patterns that traditional audits often miss. Whether you're managing a small Keycloak instance or a complex multi-realm environment, this session will give you new tools and insights to secure your identity infrastructure more effectively.

15:45 - 16:15

Keyless, identity-based signing of Software Artifacts w/ sigstore and Keycloak

Conference Room 1
Stephan Kraft, Red Hat
There is almost no debate that digital signing is an important best practice for securing the software supply chain, e.g container images, git commits and any software artifact that is involved in the SDLC. But managing keys is cumbersome, associating keys with actual human or workload identities is cumbersome, rotating and revoking keys is just annoying. Sigstore - an open-source project under the Open Source Security Foundation (OpenSSF) provides a robust solution to these problems. And it works nicely with keycloak as an OIDC provider. In this talk, we explore the history of digital signing, the challenges and demo a viable solution based on Open Source technology.

16:15 - 16:45

Panel discussion: Meet the maintainers

Conference Room 1
Sebastian Schuster, Bosch Digital, Thomas Darimont, Identity Tailor, Takashi Norimatsu, Hitachi, Ltd., Alexander Schwartz, IBM
The maintainers on the panel will answer the live questions from the audience.

16:45 - 17:00

Closing Remarks

17:00 - 18:00

Get Together

Snacks and drinks to network at the hotel.
Buy Tickets

What's included?

  • Talks from industry-leading speakers
  • FREE drinks, refreshments and lunch
  • Live stream and recorded talks
Buy Tickets

Venue

Location

Van der Valk Hotel Amsterdam Zuidas – RAI
Tommaso Albinonistraat 200
Zuideramstel
1083 HM Amsterdam
Netherlands

Directions

Please use Google Maps to find out how to get there.

Google Maps

A big 'Thank You' to our Organizers & Sponsors:

adorsys GmbH & Co. KG
Hitachi
Banfico