Workload identities are another world. They are fundamentally different from human identities in many aspects, such as issuance, lifecycle, presentation and verification. Is Keycloak ready to make its first steps in this completely new area? Thanks to Keycloak's extensible architecture, the answer is a definite "yes".
In this talk, I will focus on the two technologies and their support in Keycloak: SPIFFE, an industry standard for workload identities; Transaction Tokens, an upcoming standard by IETF OAuth WG, which bridges the gap between the two worlds."
The session includes:
Discover how to extend static configurations with sets of dynamic event driven configuration, making your IAM projects resilient against change and highly adaptable. Learn the secrets of coding, versioning, and replaying configurations, ensuring your Keycloak setup is robust, future-proof and, most of all, dynamic.
Join Maik Kingma for a session that blends technical mastery with the lore of IAM, equipping you with the knowledge to wield dynamic configuration like a true sorcerer. By the end, your Keycloak projects will be fortified, ready to face any IAM challenge ahead."
In this talk, we'll go beyond the basics to explore common security pitfalls in Keycloak deployments that we've encountered during our journey. More importantly, we'll introduce our open source tool, kcwarden, which we developed to automate security auditing of Keycloak configurations. This tool not only detects standard security issues but can be customized to identify organization-specific concerns such as problematic role assignments or policy violations, enabling continuous monitoring of your Keycloak environment.
Join us to discover how kcwarden can enhance your existing Keycloak deployment's security posture and learn practical strategies for implementing automated configuration checks into your operational workflows."
In the field of AI agents, Model Context Protocol (MCP) becomes a hot topic, which makes it easy for an AI agent/tool to connect internal/external services.
When an AI agent/tool implementing an MCP client accesses a remote external service implementing an MCP server, end user authentication and authorization is sometimes required. According to the MCP specification, OAuth 2.1 needs to be used for that, which implies that there is the possibility of using Keycloak for end user authentication and authorization because Keycloak supported OAuth 2.1.
Firstly, Takashi talks about MCP briefly and describes end user authentication and authorization of MCP in more detail. After that, the speaker shows the possible system configuration that includes Keycloak as a part of the MCP server.
As a foundational step, we aim to enable Keycloak to seamlessly support both explicit and automatic client registration under OpenID Federation, acting as both an OP and an RP within the identity federation using OpenID Connect and OAuth 2.0. We'll show how to enable and configure OpenID Federation on a per-realm basis through the admin console using mandatory and optional realm settings. Our presentation will delve into the REST API and code implementation, with a particular focus on the explicit registration process. We'll also engage in a discussion about outstanding issues, open technical challenges, and future considerations, including the implementation of other OpenID Federation components.
A key use case for this development is the EOSC Beyond project, where Keycloak-powered identity and access management services will participate in the European Open Science Cloud identity federation, leveraging the OpenID Federation specification. This will greatly simplify integration and enhance scalability across the EOSC ecosystem by enabling secure, interoperable access to resources. To bring it all to life, we'll offer a practical demonstration showcasing OpenID Federation in the project context.
Van der Valk Hotel Amsterdam Zuidas – RAI
Tommaso Albinonistraat 200
Zuideramstel
1083 HM Amsterdam
Netherlands
Please use Google Maps to find out how to get there.
Google Maps
