Keycloak

Keycloak is an open-source identity and access management solution that provides features like single sign-on, social login, user federation, and more. Deploying Keycloak in a Kubernetes environment can offer scalability, reliability, and ease of management. This guide will walk you through deploying Keycloak using both Helm charts and the Keycloak Operator. What is Keycloak? Keycloak is an open-source identity and access management solution that helps secure applications and services by managing user identities and access. It supports protocols like OpenID Connect, SAML, and OAuth 2.0, making it a versatile choice for modern applications. ...

OAuth 2.0 Token Exchange is a mechanism that allows a client to exchange one valid access token for another, potentially with different scopes or audiences. This is particularly useful in microservices architectures where services need to communicate with each other securely and efficiently. What is OAuth 2.0 Token Exchange? Token Exchange is defined by RFC 8693. It provides a standardized way for clients to request tokens on behalf of other clients or resources. This can simplify token management and enhance security by reducing the number of tokens a client needs to handle. ...

Integrating Keycloak with Spring Boot for OAuth2 resource server protection is one of the most searched tasks in the IAM developer community — yet most tutorials stop at “hello world” level. This guide covers production-grade integration: JWT validation, Keycloak realm role extraction, multi-tenant setups, and integration testing strategies. Clone the companion repo: All working code in this guide is available at github.com/IAMDevBox/keycloak-spring-boot-oauth2 — includes Docker Compose for Keycloak, complete Spring Boot 3.x application, and integration tests with Testcontainers. ...

Keycloak and Ory represent two fundamentally different philosophies in open-source identity. Keycloak is a batteries-included monolith — deploy one service, get everything. Ory is a modular microservices ecosystem — deploy only what you need, build your own UI. This comparison covers architecture, features, authorization, deployment, and when each approach wins. At a Glance Keycloak Ory Architecture Monolith (Java/Quarkus) Microservices (Go) License Apache 2.0 Apache 2.0 GitHub Stars ~25,000 (1 repo) ~39,000 (4 repos combined) Built-in UI Yes (admin + login pages) No (headless, API-first) SAML Support Yes (native) Enterprise only (Ory Polis) LDAP Federation Yes No Authorization UMA 2.0 + policies Zanzibar ReBAC (Keto) Multi-tenancy Realms (production-ready) Enterprise/Ory Network only Managed SaaS No official offering Yes (Ory Network) Min Resources ~512 MB RAM (JVM) ~128 MB RAM per service Architecture Keycloak: The Monolith Keycloak is a single Java application that handles everything: OIDC, SAML, user management, admin console, themes, session management, and authorization services. One deployment, one process, one configuration. ...

Running Keycloak in Docker for development is straightforward. Running it in production requires careful configuration of database pooling, reverse proxy headers, JVM tuning, health checks, and security hardening. This guide provides copy-paste Docker Compose configurations for Keycloak 26.x that are production-ready. Clone the companion repo: All configurations from this guide are available as a ready-to-run project at IAMDevBox/keycloak-docker-production. Clone it, copy .env.example to .env, set your passwords, and run docker compose up -d. ...

Keycloak and Authentik are the two most popular open-source identity platforms for self-hosted deployments. Keycloak brings enterprise maturity with 25,000+ GitHub stars and CNCF backing. Authentik brings modern developer experience with 20,000+ stars and rapid community growth. This comparison covers architecture, features, deployment, and when each is the right choice. At a Glance Keycloak Authentik Language Java (Quarkus) Python (Django) + Go outposts License Apache 2.0 MIT (core) + Enterprise License Database PostgreSQL, MySQL, Oracle, MSSQL PostgreSQL only GitHub Stars ~25,000 ~20,200 First Release 2014 2020 (originally “Supervisr”, 2018) Backing Red Hat / IBM, CNCF Incubating Authentik Security (Open Core Ventures) Multi-tenancy Realms (production-ready) Brands (cosmetic) + Tenants (alpha) FAPI Certified Yes (1.0 Advanced, all 8 profiles) No Min Resources 2 CPU / 2 GB RAM 2 CPU / 2 GB RAM Latest Version 26.x 2025.12.4 Architecture Keycloak Keycloak runs on the Quarkus framework (Java). A single binary handles all protocol endpoints (OIDC, SAML, LDAP), admin console, and account console. It stores sessions and configuration in an embedded Infinispan cache with database persistence. ...

Keycloak is the established open-source IAM platform with 41,000+ GitHub stars and CNCF backing. Zitadel is the challenger — a Go-based, event-sourced platform growing rapidly at 13,000+ stars. This comparison covers architecture, features, operations, and when each is the better choice. At a Glance Keycloak Zitadel Language Java (Quarkus) Go License Apache 2.0 AGPL-3.0 (v3+) GitHub Stars 41,000+ 13,000+ CNCF Status Incubating Not a CNCF project First Release 2014 2019 Maintainer Red Hat CAOS AG (Switzerland) Architecture Stateful (Infinispan cache) Stateless (event-sourced) Database PostgreSQL, MySQL, MariaDB, Oracle, MSSQL PostgreSQL only Cloud Offering Red Hat Build of Keycloak (subscription) Zitadel Cloud (free tier: 100 DAU) Architecture Keycloak Keycloak runs on Java/Quarkus with Infinispan for distributed session caching. A production deployment requires Keycloak nodes + an external database + Infinispan cluster configuration. Nodes are stateful — they hold session data in memory, requiring sticky sessions for optimal performance. ...

The redirect_uri mismatch is the second most common OAuth error after invalid_grant. Every OAuth provider requires that the redirect URI in your request exactly matches a pre-registered value — and “exactly” means character-for-character, including trailing slashes, ports, and protocol. This guide covers every cause and provider-specific fix. Quick Diagnostic: Which Provider Error Are You Seeing? Error Message Provider Jump To Invalid parameter: redirect_uri Keycloak Keycloak Callback URL mismatch Auth0 Auth0 redirect_uri must be a Login redirect URI in the client app settings Okta Okta AADSTS50011 Azure AD / Entra ID Azure AD Error 400: redirect_uri_mismatch Google Google The redirection URI provided does not match a pre-registered value ForgeRock AM ForgeRock redirect_mismatch AWS Cognito AWS Cognito Every Cause of redirect_uri Mismatch Before checking provider-specific fixes, work through this checklist. Most mismatches fall into one of these 10 categories: ...

Keycloak session errors are the most common source of unexpected logouts. Your application works perfectly in development, then users report being logged out randomly in production. The token refresh returns invalid_grant with a cryptic error_description like “Session not active” — and the Keycloak admin console shows no obvious misconfiguration. This guide explains every Keycloak session type, how their timeouts interact, and how to fix each session error. Quick Diagnostic: Which Error Are You Seeing? error_description Jump To Session not active SSO Session Expired Token is not active Refresh Token Expired Session doesn't have required client Cache Eviction Offline session not active Offline Session Expired Client session not active Client Session Expired authentication_expired in redirect URL Authentication Session Timeout All of these appear as invalid_grant in the OAuth error response: ...

Keycloak LDAP integration fails silently with generic error messages. The admin console shows “Connection refused” or “Test authentication failed” without revealing the actual cause. This guide catalogs every Keycloak LDAP error with exact log messages, Active Directory sub-codes, and fix commands. For initial LDAP setup instructions, see Keycloak User Federation with LDAP and Active Directory. Quick Diagnostic: Which Error Are You Seeing? Admin Console / Log Message Jump To Connection refused Connection Errors LDAP: error code 49 Bind / Authentication Errors SSLHandshakeException: PKIX path building failed TLS / SSL Errors Test Connection passes, Test Authentication fails TLS / SSL Errors PartialResultException: Referral Search and Sync Errors SizeLimitExceededException Search and Sync Errors Sync shows 0 imported, 0 updated Search and Sync Errors LDAP: error code 53 - WILL_NOT_PERFORM Password Change Errors Groups sync but clicking a group raises errors Group Mapper Errors Connection Errors Connection Refused javax.naming.CommunicationException: ldap.example.com:389 [Root exception is java.net.ConnectException: Connection refused] Causes (in order of likelihood): ...

CORS errors are the most frustrating errors in OAuth development. The browser blocks your request, the error message is generic, and the actual cause could be any of 8+ different scenarios. This guide covers every CORS error you’ll encounter in OAuth 2.0 and OIDC flows, with exact browser error messages and provider-specific fixes. Quick Diagnostic: Which Error Are You Seeing? Browser Console Error Jump To No 'Access-Control-Allow-Origin' header on /authorize Scenario 1: Calling /authorize via fetch No 'Access-Control-Allow-Origin' header on /token Scenario 2: Token endpoint CORS AADSTS9002327: Cross-origin token redemption Scenario 3: Azure AD SPA registration CORS error only after session timeout Scenario 4: Keycloak error response bug wildcard '*' when credentials mode is 'include' Scenario 5: Wildcard with credentials Response to preflight request doesn't pass Scenario 6: Preflight failures CORS error on /revoke endpoint Scenario 7: Token revocation Everything works except in production Scenario 8: Proxy/CDN stripping headers Which OAuth Endpoints Support CORS? Before debugging, know which endpoints are designed to accept cross-origin requests: ...

The invalid_grant error is the most common and most confusing OAuth error. It appears during token exchange or refresh token requests, but the same error code covers 18+ different root causes. This guide catalogs every known cause with provider-specific error messages and exact debugging commands. Quick Diagnostic Checklist When you encounter invalid_grant, work through this list in order: Read the error_description — most providers include specific details Is the authorization code fresh? — Exchange immediately, never retry with the same code Does redirect_uri match exactly? — Check trailing slashes, protocol, port Is the PKCE code_verifier correct? — Verify the stored value matches the challenge Are client credentials correct? — Verify client_id and client_secret for the right environment Is the refresh token still valid? — Check idle timeout, absolute lifetime, rotation Has the user’s password changed? — Password resets invalidate tokens on most providers Is the server clock in sync? — Run ntpdate -q pool.ntp.org Check IdP logs — Keycloak events, Auth0 logs, Azure AD sign-in logs Is Google app in “Testing” mode? — Tokens expire after exactly 7 days All Causes of invalid_grant Authorization Code Issues Expired code — Authorization codes have short lifetimes: ...

Keycloak Realm Federation allows you to connect multiple identity sources within a single Keycloak realm, enabling unified authentication and authorization. This means you can manage users and their access across different directories and systems through a single interface, simplifying identity management and enhancing security. What is Keycloak Realm Federation? Keycloak Realm Federation lets you integrate various identity sources, such as LDAP, Active Directory, and social logins, into a single Keycloak realm. This integration enables seamless user authentication and authorization across different systems without duplicating user data. ...

The IAM (Identity and Access Management) market offers dozens of platforms ranging from open source solutions to enterprise SaaS products. This guide compares the major IAM platforms across features, pricing, deployment models, and use cases to help you choose the right solution. Quick Comparison Matrix Platform Type Best For Pricing Model OIDC SAML MFA Social Login Keycloak Open Source Self-hosted control Free (infra costs) Yes Yes Yes Yes Auth0 SaaS Developer experience Per MAU Yes Yes Yes Yes Okta SaaS Enterprise workforce Per user/month Yes Yes Yes Yes ForgeRock/Ping Enterprise Large enterprise Custom contract Yes Yes Yes Yes AWS Cognito Cloud AWS ecosystem Per MAU Yes Yes Yes Yes Azure Entra ID Cloud Microsoft ecosystem Per user/month Yes Yes Yes Limited Head-to-Head Comparisons These detailed comparison articles analyze specific platform matchups with pricing, features, and real-world decision criteria. ...

Choosing an Identity and Access Management (IAM) platform is one of the most consequential infrastructure decisions you will make. The platform you pick will touch every application, every user login, every API call, and every compliance audit for years to come. In 2026, three platforms dominate the conversation: Keycloak, Auth0, and Okta. I have deployed and managed all three in production environments ranging from startup MVPs to enterprise systems handling millions of authentications per day. This guide is the comparison I wish I had when I started evaluating these platforms. ...

Keycloak is the most widely adopted open-source Identity and Access Management (IAM) platform in the world. Backed by Red Hat and used by organizations ranging from startups to Fortune 500 companies, it provides enterprise-grade authentication and authorization without per-user licensing fees. This guide covers everything you need to know about Keycloak – from your first Docker container to a production-ready, highly available cluster. Whether you are evaluating Keycloak for a new project, migrating from a commercial IAM vendor, or looking to deepen your expertise, this page links to every Keycloak resource on this site and provides the context to navigate them effectively. If you are completely new, start with Getting Started with Keycloak and come back here as a reference. ...

Keycloak Admin REST API is a set of endpoints that allows administrators to manage Keycloak realms, users, clients, and other resources programmatically. This API provides a powerful way to integrate Keycloak into your existing systems and automate repetitive tasks. What is Keycloak Admin REST API? Keycloak Admin REST API is a set of endpoints that allows administrators to manage Keycloak realms, users, clients, and other resources programmatically. This API provides a powerful way to integrate Keycloak into your existing systems and automate repetitive tasks. ...

Choosing an identity platform is a 5-year commitment. Switching costs are high — every application integration, every custom policy, and every user credential is tied to your IdP. Pick wrong and you’ll either overpay for years or hit scaling walls that require a painful re-platforming. This framework gives you a structured approach to the decision, based on factors that actually matter rather than vendor marketing. The Decision Matrix Score each platform 1-5 on these factors, weighted by your organization’s priorities: ...

Upgrading Keycloak across major versions is one of those tasks that looks simple on paper — download the new release, start it up, let Liquibase handle the database — but reliably creates production incidents when done without preparation. Between versions 21 and 26, Keycloak introduced several breaking changes that affect clustering, theming, SPIs, and configuration format. This guide covers what actually breaks at each version boundary and how to handle it. ...

Not every organization wants to move from ADFS to Microsoft Entra ID. Some want to stay vendor-neutral, keep identity infrastructure on-premises, or simply avoid per-user licensing costs. Keycloak fills that gap — it handles SAML 2.0, OIDC, and integrates directly with Active Directory via LDAP federation. The migration isn’t trivial, though. ADFS and Keycloak have different architectural models, and some ADFS features don’t have direct Keycloak equivalents. This guide covers the practical steps, common blockers, and configuration patterns you’ll need. ...