KeyConf26

08 Oct 2026Prague, Czech Republic9am - 6pm
Our annual conference dedicated to the Keycloak user community returns, with even more content and networking opportunities than last year. It’s the perfect place to interact, learn, share, and exchange insights and real-world use cases network with fellow experts, users, and contributors.
100+
Attendees
2
Rooms
14
Talks

About KeyConf

We’re bringing KeyConf back for the third year, continuing our mission to bring the Keycloak community together for a day of learning, collaboration, and innovation. Building on the success of previous editions, our 2026 conference will feature an even more dynamic format designed to foster deeper insights, meaningful discussions, and stronger connections across the Keycloak and security ecosystem.

Why Join Us

  • Keynote speakers and networking opportunities.
  • In-person for a chance to learn from industry experts.
  • Connect with like-minded professionals.
  • Networking lunch.
  • Business drinks (Get in touch if you would like to sponsor).
Event Starts In:

Speakers & MC

We are delighted to be able to present you with a high-quality speaker line-up consisting of leading Keycloak developers, maintainers & experts. As the Master of Ceremony, Alexander Schwartz will lead through the day.
Hannah Short
Hannah Short
Team Lead for Identity and Access Management
CERN
Read more →
Nathalia Pinesi
Nathalia Pinesi
Head of Marketing
adorsys
Read more →
Takashi Norimatsu
Takashi Norimatsu
Chief OSS Specialist
Hitachi, Ltd.
Read more →
Alexander Schwartz
Alexander Schwartz
Principal Software Engineer
IBM
Read more →
Sebastian Rose
Sebastian Rose
Lead Systems Engineer
Federal Statistical Office Germany
Read more →
Hugo Ibanez
Hugo Ibanez
Full Stack Software Engineering
adorsys
Read more →
Thomas Darimont
Thomas Darimont
Digital Identity Consultant and Managing Director
Identity Tailor GmbH
Read more →
Arndt Schwenkschuster
Arndt Schwenkschuster
Software Engineer
Defakto Security, SPIFFE maintainer
Read more →
Giuseppe Graziano
Giuseppe Graziano
Senior Software Enginer
IBM
Read more →
Niko Köbler
Niko Köbler
n-k.de
Read more →
Erik Jan de Wit
Erik Jan de Wit
IBM
Read more →
Francis Augusto Medeiros-Logeay
Francis Augusto Medeiros-Logeay
Read more →

Schedule

9:00 - 9:50

Registration & Welcome Coffee

9:50 - 10:00

Welcome and Opening Remarks from adorsys

Main Room - Castle Hall

10:00 - 10:15

SIG Community Message

Main Room - Castle Hall

10:15 - 10:45

What role can Keycloak play for International Science?

Main Room - Castle Hall
We will present a concise history of CERN's experience with Keycloak and how we have arrived at our current state: a highly performant and reliable SSO running on Kubernetes, serving over 14,000 clients and approximately 140,000 login events per day. We will share our solutions to some of the operational security challenges faced in recent years, and how CERN’s Keycloak falls into the bigger picture of authentication and authorisation for international research.

10:45 - 11:15

(sponsored talk)

Main Room - Castle Hall

11:15 - 11:30

Coffee Break

11:30 - 12:00

An Introduction to the OpenID Shared Signals Framework

Main Room - Castle Hall
As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner. This talk introduces the Shared Signals Framework and explains how it enhances security and operational efficiency in modern identity ecosystems. We'll explore how SSF can be supported in Keycloak to enable real-time event-driven communication between providers and relying parties. Attendees will learn how Keycloak can help to detect and mitigate threats, and improve overall system security with SSF.

Platform SSO with Keycloak - secure and easy authentication for macOS users

Room 2 - Bridge Lab
Apple has a framework called Platform SSO where users of enrolled macOS devices have SSO with their IdP's simply by logging in to their machines. Until December 2025, only Microsoft and Okta supported it. The University of Oslo developed the first non-commercial implementation of Platform SSO, based on Keycloak. In this presentation, we show how Platform SSO and Keycloak has changed the life of macOS users and how your institution can benefit from it.

12:00 - 12:30

(sponsored talk)

Main Room - Castle Hall

No excuses for Client Secrets - use your Cloud Identity for Client Authentication

Room 2 - Bridge Lab
With the support of RFC 7521/7523 (Assertion-based Client Authentication) and its SPIFFE profile into Keycloak, it is possible to leverage the identity cloud providers give each instance as a means of client authentication. Whilst Kubernetes and SPIFFE integration is popular and actively discussed, it is also possible to leverage this for non-Kubernetes workloads that run in cloud environments. In this talk we will discuss the underlying principles of workload identity and the instance identity each cloud provider offers to running workloads, and dive into the possibilities it offers for Keycloak

12:30 - 14:00

Lunch break

Let's have some delicious food together and network.

14:00 - 14:30

(sponsored talk)

Main Room - Castle Hall

14:00 - 15:00

Setting up a EUDIW Issuer with Keycloak

Room 2 - Bridge Lab
Given the upcoming EIDAS regulation, Keycloak poses itself as a strong solution to issue fully compliant verifiable credentials. On this workshop, you will be guided on what needs to be done to have a reliable Keycloak issuer. An overview of the issuance spec will be given and all the background for you to understand the state of the art on this matter.

14:30 - 15:00

Keycloak for Cross-Domain Access: Secure Identity Propagation between Apps and Agents

Main Room - Castle Hall
Applications and AI agents increasingly need to interact across independent trust domains while maintaining the security and integrity of the original user identity. This session explores how Keycloak solves this principal propagation challenge using Token Exchange (RFC 8693) and the JWT Authorization Grant (RFC 7523), guided by two emerging specifications: OAuth 2.0 Identity and Authorization Chaining Across Domains and the Identity Assertion Authorization Grant. We will examine how Keycloak handles cross-domain context propagation, validating external assertions and issuing target-scoped access tokens. Attendees will leave with practical patterns for building secure, asynchronous integration chains that strictly preserve user context end-to-end, without relying on static API keys or over-privileged service accounts.

15:00 - 15:15

Coffee Break

15:15 - 15:45

(sponsored talk)

Main Room - Castle Hall

15:15 - 16:15

Wicked Keycloak challenges and how to resolve them

Room 2 - Bridge Lab
Keycloak has evolved over the years, and is challenging to balance simplicity, functional completeness and security by default. Join this interactive group exercise and work with users, maintainers and contributors to identify where different goals conflict in Keycloak today. As a group, we generate solution ideas on how Keycloak can improve and prioritize them, so they can make their way in the Keycloak product roadmap.

15:45 - 16:15

Token Hygiene – Why Your Keycloak Access Tokens Need a Diet

Main Room - Castle Hall
Keycloak's default token configuration is generous: roles, claims, metadata – everything lands in the Access Token right away. That's convenient and gets you started fast. But over time, tokens grow silently. They carry information that recipients don't need, shouldn't see, or that simply doesn't belong there. What starts as a comfort feature becomes a liability – bloated HTTP headers, tokens that leak internal structure to third parties, and a configuration that's hard to reconcile with GDPR's data minimization principle. Token hygiene means treating token contents as a conscious design decision, not as a default you never revisit. In this session, I'll walk through Keycloak's client scope and mapper configuration to show which claims actually belong in which token – and which don't. We'll look at practical strategies for keeping Access Tokens lean, including Token Exchange as a tool to issue purpose-built, audience-specific tokens for downstream services instead of forwarding one overloaded token everywhere. You'll leave with a clear understanding of how to configure Keycloak for minimal, GDPR-friendly tokens – where each recipient gets exactly what it needs, and nothing more.

16:15 - 16:45

Beyond the Redirect: Modernizing Keycloak for the TypeScript Era

Main Room - Castle Hall
For years, Keycloak has been the "Enterprise Identity Provider", secure but often disconnected from the modern frontend developer's workflow. While new libraries promise "easy auth" by running inside your app, they often sacrifice the battle-hardened security of a standalone IAM. I will demonstrate how we are bridging this gap. This talk dives into the new OAuth 2.1 Native App Flow and Headless UI patterns that allow developers to build pixel-perfect, framework-agnostic authentication without ever touching a raw password or a clunky redirect.

(to be announced after call for sessions)

Room 2 - Bridge Lab

16:45 - 17:00

Closing Remarks from adorsys

Main Room - Castle Hall

17:00 - 18:00

Business drinks

Snacks and drinks to network at the hotel.

What's included?

  • Talks from industry-leading speakers
  • FREE drinks, refreshments and lunch throughout the day
  • The “Wicked Keycloak Challenges and How to Resolve Them” session, sharing practical insights and solutions
  • Drinks and time to connect with friends and the community after the event wraps up

Venue

Location

Holiday Inn Prague
Na Pankráci 1684/15
140 00 Prague 4
Czech Republic

Directions

Please use Google Maps to find out how to get there.

Google Maps

A big 'Thank You' to our Organizers & Sponsors:

Get in Touch: marketing@adorsys.com