KeyConf25

In this talk, Takashi investigates the possibility of integrating Keycloak with AI agents.

In the field of AI agents, Model Context Protocol (MCP) becomes a hot topic, which makes it easy for an AI agent/tool to connect internal/external services.

When an AI agent/tool implementing an MCP client accesses a remote external service implementing an MCP server, end user authentication and authorization is sometimes required. According to the MCP specification, OAuth 2.1 needs to be used for that, which implies that there is the possibility of using Keycloak for end user authentication and authorization because Keycloak supported OAuth 2.1.

Firstly, Takashi talks about MCP briefly and describes end user authentication and authorization of MCP in more detail. After that, the speaker shows the possible system configuration that includes Keycloak as a part of the MCP server.

Integrating Keycloak into modern web applications can be challenging, especially for developers used to the polished SDKs and smooth DX of SaaS platforms like Auth0 or Clerk. oidc-spa is an open-source attempt to close that gap, offering a streamlined developer experience inspired by those platforms, while preserving the flexibility of open standards. Beyond improving DX, `oidc-spa` promotes portability: apps built with it aren’t tied to Keycloak. They can run against Microsoft Entra ID, Auth0, or any other OIDC provider that supports the Authorization Code Flow with PKCE, which includes nearly all of them. This is critical in environments where identity infrastructure varies across deployments.

Dreading adding new features because of the Arquillian testsuite? In this session, we'll introduce you to the brand new Keycloak Test Framework, designed to make testing a breeze for contributors and extension developers.

Why change from Arquillian? What are the new framework's key features? How does it all work, and where do I start? All of these questions and more will be answered in this session. By the end, you'll have a clear understanding of how to leverage the Keycloak Test Framework to write more effective tests, save time, and improve the overall quality and maintainability.

As platform developers, we're constantly challenged to build systems that are secure, scalable, and ready for anything. But how do you maintain robust security without sacrificing flexibility? Enter OAuth 2.0 Token Exchange in Keycloak - a powerful tool that's transforming the way we manage identity and access across complex architectures. In this session, we'll explore how to use Keycloak's token exchange capabilities to tackle the toughest problems in platform development: securing microservice communications, handling dynamic authorization across distributed systems, and enabling seamless Single Sign-On across multiple domains. We'll dive deep into real-world use cases, share expert tips on configuring Keycloak for advanced token exchange scenarios, and reveal how you can leverage these capabilities to build platforms that are not just secure, but also agile and responsive to change. Whether you're building cloud-native apps, orchestrating microservices, or securing APIs, this talk will provide the practical knowledge you need to harness the full power of OAuth 2.0 Token Exchange with Keycloak. Don't miss your chance to redefine your platform's identity strategy and keep your systems ahead of the curve!

This session will explore our journey to integrate OpenID Federation support into Keycloak to enable participation in an identity federation of entities using OpenID Connect and OAuth 2.0. OpenID Federation offers a robust framework for establishing dynamic trust between OpenID Providers (OPs) and Relying Parties (RPs), significantly simplifying the management of large-scale identity federations. By leveraging this specification, Keycloak will enable the dynamic establishment of trust between OPs and RPs, facilitate secure interactions authenticated via Trust Anchors, and crucially, eliminate the need for cumbersome manual or bilateral trust agreements. We'll demonstrate our progress in implementing OpenID Federation support for Keycloak and outline our ongoing plan to integrate this essential functionality into Keycloak's core through collaborative efforts and pull requests with the Keycloak team and the Keycloak OAuth SIG group.

As a foundational step, we aim to enable Keycloak to seamlessly support both explicit and automatic client registration under OpenID Federation, acting as both an OP and an RP within the identity federation using OpenID Connect and OAuth 2.0. We'll show how to enable and configure OpenID Federation on a per-realm basis through the admin console using mandatory and optional realm settings. Our presentation will delve into the REST API and code implementation, with a particular focus on the explicit registration process. We'll also engage in a discussion about outstanding issues, open technical challenges, and future considerations, including the implementation of other OpenID Federation components.

A key use case for this development is the EOSC Beyond project, where Keycloak-powered identity and access management services will participate in the European Open Science Cloud identity federation, leveraging the OpenID Federation specification. This will greatly simplify integration and enhance scalability across the EOSC ecosystem by enabling secure, interoperable access to resources. To bring it all to life, we'll offer a practical demonstration showcasing OpenID Federation in the project context.

Managing identities and access control is critical but how well do you really know your Keycloak setup? In this talk, we'll explore how to audit and visualize Keycloak using Cartography, a graph-based security tool developed by the CNCF community. You'll learn how to extract identity and access data from Keycloak, model it as a graph, and uncover hidden risks, misconfigurations, and opportunities to strengthen your security posture. Through practical examples and live demos, we'll deep dive into how graph analysis can reveal relationships and patterns that traditional audits often miss. Whether you're managing a small Keycloak instance or a complex multi-realm environment, this session will give you new tools and insights to secure your identity infrastructure more effectively.

There is almost no debate that digital signing is an important best practice for securing the software supply chain, e.g container images, git commits and any software artifact that is involved in the SDLC. But managing keys is cumbersome, associating keys with actual human or workload identities is cumbersome, rotating and revoking keys is just annoying. Sigstore - an open-source project under the Open Source Security Foundation (OpenSSF) provides a robust solution to these problems. And it works nicely with keycloak as an OIDC provider. In this talk, we explore the history of digital signing, the challenges and demo a viable solution based on Open Source technology.

The maintainers on the panel will answer the live questions from the audience.