keycloak - Inero Software - Software Consulting

Secure Email Delivery in Keycloak 26.2 Using XOAUTH2

Andrzej Chybicki — Mon, 15 Sep 2025 10:48:22 +0000

Secure Email Delivery in Keycloak 26.2 Using XOAUTH2

Email has been one of the oldest and most fundamental services on the internet, used for notifications, password resets, verifications, and more. Over time we’ve seen major improvements — encryption via TLS, then STARTTLS, and now many providers are moving away from basic password authentication in favor of modern token-based schemes like XOAUTH2. With Keycloak 26.2, this evolution has arrived: Keycloak now supports XOAUTH2 for outgoing SMTP mail, adding greater security and compatibility with providers who have deprecated legacy authentication

1. What is XOAUTH2, and Why It Matters

XOAUTH2 is a means of authenticating to an SMTP (or other email-sending) server using an OAuth2 access token rather than a username + password. Some of the key benefits include:

- Improved Security: Tokens can be more tightly controlled, with limited scope and lifetime.
- Compliance with Modern Providers: Many providers are disabling basic auth.
- Centralised and Auditable Auth: Easier management and rotation. Each client’s access can be revoked independently of other clients’ operations.
- Reduced Risk of Credential Leakage: No raw passwords stored or transmitted.

2. How XOAUTH2 is Implemented in Keycloak 26.2

With version 26.2, Keycloak adds native support for XOAUTH2 when sending emails via SMTP. This means administrators can move away from static username and password credentials and instead configure Keycloak to obtain an OAuth2 access token at runtime.

In the Admin Console under Realm → Realm Settings → Email, you can now switch the Authentication Type from Password to Token (XOAUTH2). Once enabled, additional fields appear where you provide:

– Client ID and Client Secret from your identity provider (e.g., Azure AD).
– The OAuth2 Token Endpoint used to request an access token.
– Optional Scopes, depending on your provider (for Microsoft 365: https://outlook.office365.com/.default).
– A From address / SMTP username, which may still be required by the mail server.

Keycloak then handles the process of requesting and refreshing tokens using the Client Credentials Grant flow. You can use the “Test connection” button to verify that the configuration is correct and that emails can be sent successfully.

This approach aligns Keycloak with modern security standards and prepares deployments for providers that are phasing out legacy authentication.

Note: The Enable Debug SMTP option (visible at the bottom of the form) activates extended logging for outgoing email. When enabled, Keycloak produces detailed debug output of the SMTP communication, which can be very useful for diagnosing integration issues such as authentication failures, token retrieval problems, or TLS misconfigurations. It is recommended to use this setting only in testing or troubleshooting scenarios, as it may expose sensitive information in the logs.

Retirement of Basic Authentication for SMTP AUTH (Client Submission) in Exchange Online

Days

Hours

3. Why This Matters for Microsoft Azure / Office 365 Users

Microsoft has announced the retirement of Basic Authentication for SMTP AUTH (Client Submission) in Exchange Online. Starting March 1, 2026, Microsoft will begin phasing out Basic Auth, and by April 30, 2026, it will be completely disabled. This change directly impacts Keycloak deployments where outgoing emails are sent via Office 365 / Exchange Online SMTP.

If your Keycloak instance is still configured with a username and password for SMTP, it will stop working once Basic Auth is retired. The solution is to migrate to XOAUTH2 configuration in Keycloak 26.2.

By adopting XOAUTH2, you ensure:

- Continued compatibility with Microsoft email services
- Stronger security and compliance
- Reduced risk compared to static credentials

4. Beyond XOAUTH2?

There’s even more going on in modern email delivery. Many email delivery platforms steer away from traditional SMTP protocol towards API-based approach (e.g. MailJet, SendGrid or MailGun). This gives more flexibility to integrators and allows platform providers to offer additional features. API-based email sending is not jet supported by Keycloak out-of-the-box, but this support can be added via custom extensions. Contact us if you are interested in integrating Keycloak with API-based email delivery platforms.

Conclusion

The addition of XOAUTH2 support in Keycloak 26.2 is more than just a feature upgrade — it’s an essential step for organizations that rely on Office 365, Gmail, or other providers who are deprecating legacy authentication. By adopting XOAUTH2 today, you can future-proof your Keycloak deployment, comply with provider requirements, and improve overall email security.

Artykuł Secure Email Delivery in Keycloak 26.2 Using XOAUTH2 pochodzi z serwisu Inero Software - Software Consulting.

Configuring Password Policies in Keycloak

Marceli Formela — Thu, 20 Mar 2025 12:10:07 +0000

Effective password management is an important aspect of securing user accounts, and Keycloak provides tools to enforce strong authentication policies. By configuring password rules, administrators can ensure that credentials meet security standards, reducing the risk of unauthorized access. The framework offers flexible options, allowing you to set requirements for password length, complexity, expiration, and reuse prevention.

In this blog, we will first take a look at the built-in Keycloak mechanisms for password policy management. Then, we will explore the possibilities for customizing these mechanisms to better fit specific requirements.

Built-in policies

These built-in password policies in Keycloak allow administrators to enforce security rules to strengthen user authentication. Here’s a brief description of each policy:

Expire Password – Forces users to change their password after a specified period.
Hashing Iterations – Determines the number of iterations for password hashing to enhance security.
Not Recently Used – Prevents users from reusing their recent passwords.
Password Blacklist – Blocks specific passwords from being used, typically to prevent weak or common passwords.
Regular Expression – Allows enforcing a custom regex pattern for password validation.
Minimum Length – Sets the minimum number of characters required in a password.
Not Username – Prevents users from setting their username as a password.
Not Email – Prevents users from using their email address as a password.
Not Recently Used (In Days) – Prevents password reuse within a specified number of days.
Not Contains Username – Ensures the password does not include the username as part of it.
Special Characters – Requires passwords to contain at least one special character.
Uppercase Characters – Enforces at least one uppercase letter in the password.
Lowercase Characters – Requires at least one lowercase letter in the password.
Digits – Ensures the password includes at least one numeric digit.
Maximum Authentication Age – Sets a limit on how long authentication remains valid before requiring reauthentication.
Hashing Algorithm – Specifies the hashing algorithm used for password encryption.
Maximum Length – Defines the maximum allowable length for passwords.

Implementing custom policy using SPI

To implement a custom password policy in Keycloak, we should use the Service Provider Interface (SPI).

In this case, we define a custom password policy provider by implementing the PasswordPolicyProviderFactory interface:

				
					public class PasswordCustomPolicyProviderFactory implements PasswordPolicyProviderFactory {

	public static final Integer DEFAULT_VALUE = 1;
	public static final String MIN_PASSWORD_LIFETIME_ID = "minimumPasswordLifetime";

	@Override
	public String getId() {
    	return MIN_PASSWORD_LIFETIME_ID;
	}

	@Override
	public PasswordPolicyProvider create(KeycloakSession session) {
    	return new PasswordCustomPolicyProvider(session);
	}
[...]
}

Factory instantiates and returns a new instance of PasswordCustomPolicyProvider, which contains the actual validation logic for enforcing the minimum password lifetime. The MIN_PASSWORD_LIFETIME_ID constant serves as the unique identifier for this custom policy and DEFAULT_VALUE constant represents the default minimum password lifetime (in days) if no custom value is configured via admin console.

				
					public class PasswordCustomPolicyProvider implements PasswordPolicyProvider {
np.
   private static final String POLICY_VIOLATION_MESSAGE = "passwordLifetimeViolation";


   private final KeycloakSession keycloakSession;

   public PasswordCustomPolicyProvider(KeycloakSession keycloakSession) {
   	this.keycloakSession = keycloakSession;
   }


   @Override
   public PolicyError validate(RealmModel realm, UserModel user, String password) {
   	PasswordCredentialProvider credentialProvider = new PasswordCredentialProvider(keycloakSession);
   	PasswordCredentialModel credentialModel = credentialProvider.getPassword(realm, user);

   	if (credentialModel == null) {
       	return null;
   	}

   	long passwordCreationTime = credentialModel.getCreatedDate();
   	long currentTime = Time.currentTimeMillis();
   	long elapsedTime = currentTime - passwordCreationTime;

   	PasswordPolicy passwordPolicy = realm.getPasswordPolicy();
   	int minPasswordLifetimeDays = passwordPolicy.getPolicyConfig(PasswordCustomPolicyProviderFactory.MIN_PASSWORD_LIFETIME_ID);
   	long minPasswordLifetimeMillis = TimeUnit.DAYS.toMillis(minPasswordLifetimeDays);
   	return elapsedTime >= minPasswordLifetimeMillis ? null : new PolicyError(POLICY_VIOLATION_MESSAGE, minPasswordLifetimeDays);
   }
[...]
}

The PasswordCredentialProvider can access the stored password creation timestamp via the PasswordCredentialModel instance. It then computes elapsedTime as the difference between this timestamp and the current system time, representing how long the password has been in use.

Next, the PasswordPolicy object retrieves the password policy for the realm, extracts the minimum required password lifetime in days (minPasswordLifetimeDays), and converts it to milliseconds (minPasswordLifetimeMillis). The policy ensures that the password has been in use for at least the required duration. If this requirement is not met, a PolicyError is returned. The error message key is stored in POLICY_VIOLATION_MESSAGE, and its content can be customized within our theme. This allows us to define a user-friendly message that informs the user why the password change is restricted and how much time remains before a new password can be set.

In this way, we can define custom password policies in Keycloak when the default set of policies is insufficient for specific requirements. This flexibility allows for more granular control over user authentication and password management when we need it.

Customizing UI to improve user experience

By default, Keycloak displays unsatisfied password policies individually on the login page. This can be problematic for many users, especially when there are multiple policies that are not met. It can lead to a cluttered interface and make it harder for users to understand all the password requirements at once. To address this, you can customize the login screen to display a collective list of all unsatisfied password policies together, providing a clearer and more user-friendly experience.

				
					public class CustomFreeMarkerLoginFormsProvider extends FreeMarkerLoginFormsProvider {
/**
* Mapping between password policy provider IDs and custom messages
* Note: contains only standard policies that must be displayed in the UI
*/
private final Map<String, String> policyPropertyMessages = Map.of(
LengthPasswordPolicyProviderFactory.ID, MINIMUM_LENGTH_MESSAGE,
MaximumLengthPasswordPolicyProviderFactory.ID, MAXIMUM_LENGTH_MESSAGE,
DigitsPasswordPolicyProviderFactory.ID, MINIMUM_DIGIT_MESSAGE,
SpecialCharsPasswordPolicyProviderFactory.ID, MINIMUM_SPECIAL_CHAR_MESSAGE,
UpperCasePasswordPolicyProviderFactory.ID, MINIMUM_UPPERCASE_MESSAGE,
LowerCasePasswordPolicyProviderFactory.ID, MINIMUM_LOWERCASE_MESSAGE,
NotUsernamePasswordPolicyProviderFactory.ID, NOT_USERNAME_MESSAGE,
NotContainsUsernamePasswordPolicyProviderFactory.ID, NOT_CONTAINS_USERNAME_MESSAGE,
NotEmailPasswordPolicyProviderFactory.ID, NOT_EMAIL_MESSAGE
);

[...]

@Override
protected void createCommonAttributes(Theme theme, Locale locale, Properties messagesBundle,
UriBuilder baseUriBuilder, LoginFormsPages page) {
super.createCommonAttributes(theme, locale, messagesBundle, baseUriBuilder, page);
if (realm != null && realm.getPasswordPolicy() != null) {
attributes.put("passwordPolicies", getPasswordPolicyMessages(realm.getPasswordPolicy(), messagesBundle));
}}

[...]

private Map<String, String> getPasswordPolicyMessages(PasswordPolicy passwordPolicy, Properties messagesBundle) {
Map<String, String> policyMessages = new HashMap<>();
PasswordPolicy.Builder builder = passwordPolicy.toBuilder();
for (String policyName : passwordPolicy.getPolicies()) {
var value = builder.get(policyName);
String message = extractPolicyMessage(policyName, value, messagesBundle);
if (message != null) {
policyMessages.put(policyName, message);
}
}
return policyMessages;
}

[...]

/**
* Extracts a message for a given password policy from the messages bundle
* Note: Policy message is constructed by replacing the {0} placeholder with the policy value
*/
private String extractPolicyMessage(String policy, String value, Properties messagesBundle) {
String property = policyPropertyMessages.get(policy);
if (property == null) {
return null;
}
String policyMessage = messagesBundle.getProperty(property);
return policyMessage != null ? policyMessage.replace("{0}", value) : null;
}

The getPasswordPolicyMessages() function already collects the password policies from the PasswordPolicy and maps them to the appropriate messages from the message bundle. You can extend this function to display all unsatisfied policies in one collective message.

Password policies such as minimum length, required digits, special characters, etc., are mapped to messages via the extractPolicyMessage() method. Our service implementation will iterate through each policy and check if it’s satisfied. If not, the corresponding message will be displayed.

In your update-password.ftl page, you can display these unsatisfied policies as a list using FreeMarker.

				
					
    	<#if passwordPolicies?has_content>
        	<div class="${properties.kcAlertClass}">
            	<div class="${properties.kcAlertIconWrapperClass}">
                	<span class="${properties.kcAlertIconClass}"></span>
            	</div>
            	<span class="${properties.kcAlertTitleClass}">
            	${msg("passwordInstruction")} <br>
            	<#list passwordPolicies?keys as key>
                	<span class="${properties.kcAlertTitleClass}">&#x2022; ${passwordPolicies[key]}</span><br/>
            	</#list>
            	</span>
        	</div>
    	</#if>

Real world policy examples

Let’s see how password policies look in large companies.

Apple requires passwords to be at least eight characters long and must include both letters and numbers. Additionally, passwords cannot contain three or more consecutive identical characters and cannot be commonly used passwords.

Facebook enforces a minimum password length of more than six characters, although longer passwords are recommended. While Meta does not require the use of special characters or digits, it encourages creating complex passwords.

Microsoft passwords must be at least 8 characters long and contain at least two of the following types of characters: uppercase letters, lowercase letters, digits, and symbols. Additionally, it may block the ability to set a password that is too similar to the previous one.

Although these companies use different tools for authentication, it’s important to consider the security standards implemented in big real-world systems.

And despite the fact that these password policies are not extremely restrictive, users should still avoid using sensitive personal information, such as names, birthdates, or phone numbers, in their passwords. Additionally, it’s essential to avoid reusing passwords across different services, as this can lead to vulnerabilities in case one account is compromised. Employing two-factor authentication (2FA) and periodically reviewing password security are further steps users can take to enhance their protection.

Summary

As you can see now, Keycloak provides a set of default password policies that cover standard security rules, such as minimum length, complexity requirements, and password history. These built-in policies are sufficient in many cases, but if needed, there is the option to customize them to meet specific organizational requirements. Keycloak also allows the creation of custom password policies, providing greater control over security.

In addition to customizing policies, Keycloak enables modification of the user interface, which is especially useful when the default display of password policy violations, such as showing unmet requirements individually, does not meet our needs. In such cases, we can change how errors are presented or enrich the messages with additional details to make them more user-friendly.

With these options, Keycloak demonstrates a high level of flexibility, allowing full control over security policies and the user interface, making it a versatile solution for identity and access management. The ability to define custom rules and adjust components ensures that Keycloak is a scalable tool that can be easily tailored to the specific needs of an organization.

Artykuł Configuring Password Policies in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Setting Up Passwordless Login with Passkey on a Mobile Device

Marceli Formela — Wed, 12 Mar 2025 07:47:03 +0000

In our previous post, we demonstrated how to configure Passkeys in Keycloak, replacing traditional passwords with WebAuthn-based authentication. We covered the setup process, key advantages, and potential limitations, including the challenge of user adoption. This blog focuses on configuring Passkeys specifically for mobile devices, ensuring a seamless and secure passwordless experience.

Our first publication about Passkeys in Keycloak, you can find here: An introduction to Passkey with Keycloak

In this post, we’ll dive deeper into optimizing Passkey authentication in Keycloak, looking into a different approach, this time using more than one device.

Using a Passkey stored on a phone

When logging in on a different device, such as a laptop or desktop, users can authenticate using a Passkey stored on their phone. The process works as follows:

Selecting Passkey Login
Instead of entering a password, users choose the Passkey authentication option. The laptop’s browser generates a request for authentication. Now we have to establish a secure connection between your phone (e.g., iPhone) and your laptop.
Scanning a QR Code
The login interface generates a QR code, which users scan using their phone’s camera. Then the laptop sends a cryptographic challenge to the phone, asking it to sign a request using the stored passkey. The phone communicates securely with the laptop over Bluetooth or other close-range communication protocols (like NFC).
Confirming Identity
Once the phone receives the challenge, it asks the user for biometric authentication (e.g., Face ID or Touch ID). This verifies that the person attempting the login is the authorized user.
Secure Authentication
The laptop checks the response from the phone, verifying the cryptographic signature against the public key registered with the service. If the verification is successful, the user is logged in without having to enter a password.

Step by step: Configuring Passkey with a smartphone

Before we dive into our custom authentication flow, it’s important to check if the Webauthn Register Passwordless required action is enabled in the realm (Authentication -> Required actions tab).

This gives us, for example, the ability to enforce passkey configuration from users after their next successful login. However, it’s important to remember that this is just one of many ways to configure multiple authentication methods.

Once we confirm that this option is active, we can proceed with configuring the authentication flow.

This custom authentication flow for Keycloak is designed to demonstrate how users can choose between password-based authentication and passkey authentication (WebAuthn) during login. Here’s how it works:

- Users are required to provide their username to proceed with authentication.
- This step enforces authentication, but users can choose between password-based login or passkey-based login.
- If the user opts for password authentication, they enter their credentials here.
- If the user prefers passwordless authentication using passkeys, they can authenticate using this method instead.

In this step, users can enter their username or email to proceed with authentication. This is a required step, ensuring that the system identifies the user before offering authentication options.

At this stage, we can only use password authentication because we haven’t configured our Passkey (WebAuthn) yet. Once Passkey is set up, users will have the option to choose between password-based and passwordless authentication.

Instead of registering a device PIN as mentioned earlier, we will use authentication via a phone, specifically an iPhone, in this example

Now, a QR code should appear, allowing us to register a Passkey on our account. Let’s scan it using our phone’s camera and verify the operation, for example, using Face ID.

Now, our Passkey should be visible in the Credentials section.

During the next login, we should see the option to choose between password authentication and Passkey authentication.

This setup enhances user convenience by allowing them to pick their preferred authentication method. Passkeys provide a more secure and phishing-resistant login experience, while passwords remain available for users who prefer traditional authentication. With this flexibility, we can ensure both security and ease of access for different user preferences.

It is worth remembering that traditional passwords are a weak link in digital security, often compromised through reuse, phishing, or data breaches. Passkeys offer a modern, passwordless authentication method that enhances security and usability by leveraging cryptographic key pairs managed by platform authenticators. They provide phishing resistance, seamless multi-device access, and compliance with multi-factor authentication (MFA) standards.

Best Practices in Keycloak: Secure Your System in 5 Steps

Artykuł Setting Up Passwordless Login with Passkey on a Mobile Device pochodzi z serwisu Inero Software - Software Consulting.

Trusted devices in Keycloak

Marta Kuprasz — Thu, 06 Mar 2025 10:47:08 +0000

User authentication in IT systems requires finding a balance between convenience and security. On one hand, users expect the login process to involve the fewest steps possible; on the other, it is essential to protect system access from unauthorized use. One way to manage security levels flexibly is through the trusted devices mechanism, which allows users to reduce the number of required login steps for recognized and secure devices.

The stricter the security policy, the more inconvenient it becomes for users—this is the eternal dilemma for system administrators. Long and complex passwords, frequent password changes, and additional authentication factors enhance security but also lead users to find ways to bypass procedures—such as writing passwords down in notebooks or saving them in browsers.

Trusted Devices – How Does It Work?

By default, Keycloak does not recognize or remember devices, meaning each session is treated independently. However, with extensions, support for trusted devices can be added, allowing users to skip certain steps during subsequent logins.

CTO of Inero Software, Waldemar Korłub, emphasizes:

"Hence the concept of trusted devices – the first time, we need to go through all the steps, but afterward, the application can, for example, skip asking for the two-factor authentication code."

Once a device is marked as “trusted,” the system can retain its status for a specified period, allowing for a simplified login process. However, the user may still be periodically asked to reauthenticate to ensure security.

Is remembering devices secure?

While the trusted devices mechanism improves user convenience, it also introduces additional risks. The biggest threat is the theft or loss of a device that has been previously marked as trusted.

As Waldemar Korłub points out:

"If the system does not require an additional authentication factor, an attacker could gain access to all stored applications. That’s why it is crucial for users to have control over their trusted devices—ideally through a panel where they can remove them at any time."

Introducing a device management panel and the option to revoke a device’s trusted status in case of loss are essential elements for ensuring security.

How can administrators control access in Keycloak?

Administrators can restrict the device remembering mechanism, for example, to specific networks or corporate devices.

Waldemar Korłub explains:

"We can limit this mechanism, for example, to computers within the local network—if users connect via the corporate VPN, we can recognize company-owned devices and enable the trusted devices option for them."

Thanks to such solutions, organizations can prevent users from assigning trusted status to personal devices that are beyond their control.

Trusted Devices in Keycloak – Key Takeaways

- Trusted Devices Help Simplify Login but Require Proper Security Measures
  The trusted devices mechanism in Keycloak allows users to skip certain authentication steps, such as entering a 2FA code. While this is a convenient solution that streamlines daily operations, it also requires the implementation of appropriate security measures. It is essential to define the validity period of a trusted device and monitor changes in login behavior to prevent misuse.

- Administrators Can Control the Trusted Device Access Policy
  Not every device should be marked as trusted, which is why administrators can restrict this feature to corporate computers or require a VPN connection. This helps prevent situations where a user assigns trusted status to a personal computer that the organization cannot control.

- Device Management Panel Enhances Security
  To give users greater control over their sessions, it is beneficial to implement a panel that allows them to review and remove trusted devices. This way, in case of device loss or suspected unauthorized access, users can quickly revoke granted permissions.

- The Ability to Remove a Device Protects Against Account Takeover
  If a device is lost or stolen and the system does not require additional authentication, an attacker could gain access to the user’s account. That’s why it is crucial to allow the removal of trusted devices at any time and enforce reauthentication. This approach provides greater flexibility while reducing the risk of unauthorized account access.

When Should You Use the Trusted Devices Feature in Keycloak?

The trusted devices feature in Keycloak enhances login convenience while maintaining a high level of security. This functionality is particularly useful in corporate environments and BYOD (Bring Your Own Device) models, where users regularly log in from the same devices.

Marking a device as trusted reduces the number of two-factor authentication (2FA) prompts, extends session duration, and allows for dynamic security policy adjustments, such as requiring reauthentication for suspicious logins. This approach helps mitigate the risk of account takeover—even if an attacker obtains a password and 2FA code—since logging in from a new device may trigger additional verification.

Implementing trusted devices in Keycloak enables organizations to strike a balance between security and user convenience.

The trusted devices mechanism in Keycloak enhances login convenience without significantly compromising cybersecurity. Proper implementation of the device remembering policy in Keycloak helps balance system security and user experience.

However, administrators should ensure that mechanisms are in place for managing the list of trusted devices and enforcing periodic verification of their status to mitigate potential security risks.

We will help you implement Keycloak

Want to implement Keycloak or add new functionalities? Schedule a meeting to explore the possibilities.

Schedule a meeting

Artykuł Trusted devices in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

An introduction to Passkey with Keycloak

Marceli Formela — Wed, 26 Feb 2025 08:11:28 +0000

Traditional passwords have long been a weak factor in digital security. They are often reused, easy to compromise, and vulnerable to phishing attacks. Passkeys offer a modern solution by replacing passwords with app-specific cryptographic key pairs managed by platform authenticators. Because passkeys involve multiple authentication touchpoints, they meet multi-factor authentication (MFA) requirements and align with multiple standards.

In this blog post, we’ll show you how to set up Passkeys based on the Keycloak configuration we’ve covered in previous posts (check Securing Java Spring Endpoints with Keycloak or Hands-On Keycloak SSO: From Setup to Integration). While passkeys promise a seamless and secure authentication experience, integrating them into an existing system can come with its own challenges. We’ll guide you through the basic setup process. If you’re looking to modernize your authentication strategy, this is the perfect place to start.

How it works

Passkeys are a passwordless authentication method designed to replace traditional passwords with a more secure and convenient alternative. Unlike passwords, which can be phished, stolen, or forgotten, passkeys eliminate these risks by using cryptographic key pairs stored in a trusted authenticator, such as a smartphone, another device, or a password manager. Instead of manually creating and remembering a password, users enable an authenticator to generate and manage a passkey for them. In general, a passkey consists of two parts:

- A public key, which is stored by the application
- A private key, which remains securely stored in the user’s authenticator

The private key never leaves the device, ensuring that even if the public key is compromised, accounts remain secure.

When logging in, the app sends a challenge to the authenticator.
The user verifies their identity using biometrics (Face ID, Touch ID), a PIN, or a password.
The authenticator signs the challenge with the private key and sends it back for verification.
If the signature is valid, access is granted – without ever needing a password.

Advantages of Passkeys

- Unlike passwords, passkeys can’t be stolen through phishing attacks. They are bound to a specific website or app, meaning they won’t work on fake login pages. Even if a user visits a phishing site, their passkey won’t be prompted and won’t sign them in, preventing credential theft.
- Users don’t have to manage multiple passwords across accounts. Logging in is as simple as using Face ID, Touch ID, or a device PIN.
- Passwords can be guessed, reused, or leaked—passkeys can’t. Even some 2FA methods (like SMS codes) are vulnerable to phishing and SIM-swapping, while passkeys are not. Since passkeys use public-key cryptography, they can’t be stolen or intercepted in a data breach.
- Passkeys are stored in platform authenticators (e.g., Google Password Manager, Windows Hello). They can be automatically synced across devices, ensuring access without manual transfers.

Limitations of Passkeys

- Not all websites and applications support passkeys yet, meaning users may still need to rely on passwords for some services.
- Losing access to a primary device or cloud account could lock users out, requiring recovery options like backup devices.
- Many users are still unfamiliar with passkeys, and the transition away from passwords requires education. Since passkeys don’t require manual entry, users may feel a lack of control over their credentials compared to traditional password management.

Configuring Passkey for the Realm

Keycloak provides flexible authentication options, traditionally relying on passwords and OTP-based multi-factor authentication (MFA). However, with the rise of passwordless security, Keycloak also supports WebAuthn Passwordless (Passkeys). In this setup, we will disable both passwords and OTP authenticators, ensuring that users can only log in using Passkeys.

The order of authenticators determines the login workflow in Keycloak. We keep the cookie authenticator to allow users to maintain active sessions. To support external authentication, we enable the Identity Provider Redirect, allowing users to log in via upstream providers like Google, or another Keycloak instance. Next, we configure the actual login form. By default, Keycloak’s browser flow includes username, password, and MFA authentication. We can disable everything in this section and replace it with a single step: adding a WebAuthn Passwordless Authenticator, ensuring that users can only log in using Passkeys. The final flow should look something like this:

Once the WebAuthn Passwordless Authenticator is set up, the next step is to bind the authenticator to the browser login flow.

Now, all that’s left is to force a password reset for our sample user by setting the required action to WebAuthn Register Passwordless.

After clicking the link in the received email, Keycloak will display a dialog instructing the user to register their passkey.

Just click to register the passkey.

Your device’s platform authenticator will appear showing available options for confirming the user’s identity. Let’s assume we want to use Windows Hello and confirm identity with a PIN code – the same that is used when logging into the Windows account.

The passkey should now be visible in the credentials section of the specified user.

Now we can go to the realm’s login page and try using our passkey instead of the standard username and password.

Your platform authenticator should appear again, offering to use the registered passkey.

Passkeys aren’t perfect, but their benefits outweigh their drawbacks for most users. As adoption increases, many of these limitations will be addressed. However, in the short term, users and organizations need to be aware of potential challenges when integrating passkeys into their authentication workflows. Organizations seeking to integrate passkeys into their authentication systems can leverage tools like Keycloak. By integrating passkeys into Keycloak, organizations can provide users with secure, passwordless access to applications while still benefiting from Keycloak’s major features like Single Sign-On (SSO), multi-factor authentication (MFA), and fine-grained access control.

Artykuł An introduction to Passkey with Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Cybersecurity: More Than Just Antivirus Software

Marta Kuprasz — Tue, 18 Feb 2025 12:54:19 +0000

For many people, the first thing that comes to mind when talking about cybersecurity is antivirus software. However, modern cyber threats go far beyond traditional computer viruses. While antivirus software remains an important element of protection, an effective strategy for preventing attacks and minimizing the risk of data or financial loss must encompass a much broader range of tools and processes.

Cybercriminals have a vast arsenal of attack techniques and methods. In public discourse, terms such as phishing, ransomware, DDoS (Distributed Denial of Service) attacks, and social engineering are frequently mentioned.

On which threats should we focus in 2025?

Cybersecurity experts point out that these techniques continue to evolve and adapt to better target potential victims. In 2025, it is worth paying attention to three key areas:

Passkeys are replacing passwords

Passwords remain a weak link. With the rise of phishing and authentication attacks, companies are shifting to passkeys—biometric or cryptographic authentication methods that enhance security and user convenience. Tech giants like Google and Apple are leading this transition.

Phishing is becoming hyper-personalized

Generic phishing emails are a thing of the past. Attackers now use in-depth research and social media data to create highly targeted campaigns that appear legitimate. AI-generated messages mimic real conversations, making social engineering more effective. Organizations must invest in advanced detection and employee awareness to stay protected.

Deepfakes are a growing threat

AI-powered deepfake technology is becoming an increasing cybersecurity threat. Criminals use AI-generated profiles impersonating managers or other trusted individuals to bypass security measures and manipulate employees into revealing confidential information. One well-known method involves using filters during video calls to impersonate someone in real time. Companies must strengthen verification protocols and educate employees on detecting deepfakes.

When antivirus software is not enough

Antivirus software is designed to detect, block, and remove malicious programs such as viruses, trojans, and spyware. Its functionality relies on databases of known threats. However, cybercriminal techniques are evolving beyond the capabilities of traditional antivirus solutions. Attacks like phishing, ransomware, social engineering, and deepfakes are not directly linked to classic malware and often require more advanced protection methods.

How to stay secure?

First and foremost, by implementing modern authentication methods, identity management, and incident detection systems that can indicate potential attacks. This includes using multi-factor authentication (MFA), integrating with identity management systems like Keycloak, and monitoring activity through SIEM (Security Information and Event Management) tools. Such an approach enables real-time identification and response to unusual behavior that may signal a system compromise.

We wrote about why integrating Keycloak with a Security Information and Event Management (SIEM) system is worth considering here.

Start by structuring the process

A well-structured cybersecurity process begins with a thorough risk assessment and threat identification. At this stage, an organization inventories all IT assets, including devices, systems, applications, and data. It is crucial to determine which of these assets are the most sensitive and require special protection. Next, a risk analysis should be conducted to evaluate potential threats, their impact on business operations, and the likelihood of occurrence. This helps identify the key areas that require the most protection.

The next step is to develop a comprehensive security policy. This includes a set of rules and procedures governing all aspects of technology use within the organization—from password and access management to guidelines for mobile device usage and remote work. At this stage, it is essential to consider applicable legal regulations, such as GDPR, and industry standards.

Once policies are established, the next step is implementing the necessary security technologies and tools, such as the previously mentioned Keycloak. This stage involves integrating security measures like multi-factor authentication (MFA), data encryption, and IT infrastructure monitoring systems like SIEM (Security Information and Event Management). Simultaneously, mechanisms for regular software updates and data backups should be introduced to enable quick system recovery in the event of an incident.

When designing a cybersecurity process, it is important to recognize that humans are often the weakest link in security. Increasing employee awareness through training programs is critical. These programs educate staff on different attack techniques and real-world examples, helping them identify potential threats.

The final, but equally important, component is monitoring and incident response. Organizations should have clearly defined procedures for responding to security breaches, ensuring rapid detection, analysis, and mitigation of cyberattacks.

We will help you implement Keycloak

Schedule a meeting to learn how we can help you implement and fully manage Keycloak in your organization.

Schedule a meeting

Artykuł Cybersecurity: More Than Just Antivirus Software pochodzi z serwisu Inero Software - Software Consulting.

Behind the Scenes #2: Implementing email-based MFA in Keycloak

Marceli Formela — Thu, 13 Feb 2025 09:50:32 +0000

Keycloak natively supports many secure login solutions and comes with built-in one-time password (OTP) mechanisms, such as authentication via mobile apps like Google Authenticator or our solution AuthM8. However, if we want to use other advanced authentication methods and for example send OTP codes via email, then similar to SMS multi factor authentication (more details HERE), we need to implement this functionality ourselves. In this post, we’ll explore a custom MFA implementation that sends a one-time authentication code to the user’s email.

How does email-based MFA work?

The authentication process consists of two main stages:

- Generating and sending the MFA code

If the user already has an active cookie confirming a previous MFA verification, they should be immediately authenticated. Otherwise, Keycloak creates a new credential for the user and generates a one-time code based on configurable parameters like length or time-to-live. The code is stored in the user’s credentials and then is emailed using the email provider.

- Verifying the entered code

When a user submits the code, KC retrieves the stored credential and compares the entered value. If the code is correct and still valid (not expired), authentication is successful, and a cookie is set to remember the verification. If the code is incorrect, the user is prompted to re-enter it and if the code has expired, an error message is shown and the process must be restarted.

Email MFA: Pros and Cons

Email-based MFA offers additional security when the primary factor, such as a password, has been compromised. This is particularly helpful in cases where passwords are brute-forced or easily guessed, such as with common combinations like 123456. Similarly, this solution offers protection against credential stuffing, where attackers use leaked passwords from other breaches to attempt logging into account.

There are several other benefits to using email as a MFA:

- Email MFA does not require users to provide additional sensitive information, such as a phone number, reducing concerns about privacy.

- It does not require users to install a separate app or complete a complicated setup, which simplifies the process.

- Users are accustomed to providing their email for various purposes, such as receiving important account updates or resetting passwords. This familiarity makes it more accessible.

However, email as a delivery channel does have some drawbacks. If an attacker compromises your email (gains access to an email account through stolen credentials or by exploiting an active session.), they could potentially reset other accounts’ passwords as well. For users in vulnerable situations, such as those with access to shared devices, email-based MFA can still leave them exposed. As with any security measure, it’s essential to weigh the benefits against the potential risks and mix email MFA with other safeguards, such as strong passwords policy and secure email practices.

Implementing Email MFA

In this modified Browser Authentication Flow, we integrate our custom MFA as an additional authentication method. There are two new steps:

- MFA Email setup – this step ensures that email is set up and verified for the user before proceeding. If the user does not have a custom MFA Credential (which stores OTP codes as secrets), it will be set as well.

public class MfaEmailSetupAuthenticator implements Authenticator, CredentialValidator {
@Override
public void authenticate(AuthenticationFlowContext context) {
[…]
// Require email verification
if (!userModel.isEmailVerified()) {
userModel.addRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
}
// Add MFA email credential if not present
if (!getCredentialProvider(context.getSession()).isConfiguredFor(realmModel, userModel, MfaEmailCredentialModel.TYPE)) {
userModel.credentialManager().createStoredCredential(new MfaEmailCredentialModel(new MfaEmailCredentialData()));
}
[…]

- MFA Email Authentication – this is the actual authentication step where a one-time code is sent via email. Marked as Alternative, meaning it can be used instead of other MFA methods like mobile app OTP.

Here, you can see how the configuration of this authenticator could look like in the Keycloak authentication flow.

- Max Cookie Age this setting determines how long the MFA session (cookie) is valid. If the cookie is still valid, the user won’t be prompted for MFA.
- Time-to-live indicates the lifetime of the MFA code.

Now let’s take a look at the code.

The method below handles the MFA process itself. If a valid cookie exists (indicating that the user has already completed MFA), the method immediately returns success, meaning the authentication flow is complete without requiring additional actions.

@Override
public void authenticate(AuthenticationFlowContext context) {
if (hasValidCookie(context)) {
context.success();
return;
}
[…]

If there is no cookie, we should try to retrieve the user’s existing MFA credential from the credential provider. If the user doesn’t have one, a new instance is created using the MfaEmailCredentialModel which just extends the built-in CredentialModel:

[…]
// get existing credential or create a new one
CredentialModel credentialModel = getCredentialProvider(session)
.getDefaultCredential(session, context.getRealm(), user);
if (credentialModel == null) {
credentialModel = user.credentialManager().createStoredCredential(new MfaEmailCredentialModel(new MfaEmailCredentialData()));
}
[…]

Then the authenticate method reads configuration properties like code length and TTL (time-to-live). The code itself can be generated using some utils method and will be stored as the secretData in the credential model.

// generate and store code
int length = Integer.parseInt(configMap.get(CONFIG_CODE_LENGTH));
int ttl = Integer.parseInt(configMap.get(CONFIG_CODE_TTL));
String code = MfaEmailCodesUtils.generateCode(length);
credentialModel.setSecretData(code);
user.credentialManager().updateStoredCredential(credentialModel);
AuthenticationSessionModel authSession = context.getAuthenticationSession();
authSession.setAuthNote("ttl", Long.toString(System.currentTimeMillis() + (ttl * 1000L)));

In the end the sendCode method is called to send the generated code to the user’s email. If the email is sent successfully, the method presents the form where the user can enter the MFA code.

// send email and show input form
try {
MfaEmailCodesUtils.sendCode(session, user, ttl, code, configMap);
context.challenge(context.form().setAttribute("realm", context.getRealm()).createForm(TPL_CODE));
} catch (Exception e) {
context.failureChallenge(AuthenticationFlowError.INTERNAL_ERROR,
context.form().setError("mfaEmailNotSent", e.getMessage())  .createErrorPage(Response.Status.INTERNAL_SERVER_ERROR));
}

The second major part of our Authenticator is the action method which handles the validation of the code entered by the user. It is invoked when the user submits the input form after receiving the email.

The method retrieves the user’s credential from the provider and then the code is validated by checking it against the stored credential using the custom isValid method.

[…]
final MfaEmailCredentialModel credentialModel = getCredentialProvider(session)
        .getDefaultCredential(session, context.getRealm(), user);
boolean isValid = getCredentialProvider(session).isValid(context.getRealm(), user,
     new UserCredentialModel(credentialModel.getId(), getCredentialProvider(context.getSession()).getType(), enteredCode));
[…]

If the code is valid, the next step is to check if it is expired. We can also set a cookie that stores the MFA session to prevent the user from being prompted for MFA again during the cookie’s validity period.

[…]
// valid
HttpResponse response = context.getSession().getContext().getHttpResponse();
response.setCookieIfAbsent(createCookie(context));
context.success();
[…]

Of course, in this post, we will not cover the entire topic, omitting implementation details such as sending the code, generating the code, validation, and creating our custom cookie.

However, we have walked through the major steps of implementing 2FA using email-based codes. On the one hand, this approach offers a simple and accessible solution. Although it has its drawbacks, using it in solutions like Keycloak helps mitigate many of these vulnerabilities. Keycloak also provides the flexibility to combine email-based MFA with other security measures, creating a more layered and resilient authentication process that can help protect against evolving cybersecurity threats.

Do you need help configuring multi-factor authentication?

Schedule a meeting to find out how we can help you.

Schedule a meeting

Artykuł Behind the Scenes #2: Implementing email-based MFA in Keycloak pochodzi z serwisu Inero Software - Software Consulting.

Security Information and Event Management Systems: Why Is It Worth Adding Keycloak?

Marta Kuprasz — Thu, 06 Feb 2025 10:15:42 +0000

Security Information and Event Management (SIEM) systems enable the collection and analysis of data on user activity, system access, and cybersecurity events to detect threats and respond to incidents in real time. Identity and Access Management (IAM) systems, in turn, provide insights into user activity. In this blog, you’ll learn how Keycloak can support your SIEM system.

In the Report on the State of Cybersecurity in Poland for 2023 prepared by CSIRT GOV, it was indicated that among the threats persisting in the Polish cyberspace in 2023, which had a significant impact on risk assessment, social engineering attacks and brute-force attacks were particularly notable. Social engineering attacks involve manipulating users to gain unauthorized access to systems, while brute-force attacks rely on automatically attempting various password combinations to break security measures.

Proper identity management and log monitoring are key elements in protecting against such attacks. This is why integrating Keycloak with a SIEM system allows organizations to detect threats more effectively and respond to them immediately.

Why Is It Worth Integrating SIEM with Keycloak?

Every organization using a SIEM system aims to detect as many threats as possible and respond to incidents as quickly as possible. Information about who attempted to access systems, from where, and when can be crucial in identifying attacks and unauthorized login attempts. This is where Keycloak—a popular open-source IAM platform—can significantly enhance the SIEM ecosystem by providing valuable data on authentication, authorization, and session management processes.

Keycloak, developed by the Red Hat community, offers comprehensive solutions for authenticating and authorizing users in web applications, mobile apps, and backend services. We’ve covered it in detail https://inero-software.com/keycloak-services/

Keycloak can provide data on:

Login attempts – both successful and failed, along with information about the originating IP address.
Forced password resets and changes in access policies – allowing for monitoring of potential account takeover attempts.
User sessions – including unusual logins from new locations or devices.
Detected threats, such as suspicious multiple login attempts (e.g., brute-force attacks, which involve cracking passwords or cryptographic keys by trying all possible combinations).

The SIEM system, in turn, can analyze this data and correlate it with other events, such as:

Login attempts from unusual locations linked to suspicious network activity.
Multiple failed login attempts from a single IP address – a sign of a brute-force attack.
Sudden changes in user privileges associated with suspicious system access.

An example of effective integration can be seen in a situation where a user repeatedly enters an incorrect password within a short period. Keycloak logs this as suspicious activity. A SIEM system can then correlate this data with login attempts from different locations and take action, such as temporarily blocking the account or enforcing additional authentication.

How Do Keycloak and SIEM Work Together?

Keycloak and Security Information and Event Management (SIEM) systems serve different purposes in identity management and IT security, but they complement each other perfectly.

Feature	SIEM (Security Information and Event Management)	IAM (Identity and Access Management – Keycloak)
Main Function	Monitoring and analyzing security events	Managing user identities and access
Scope of Operation	Log collection, incident analysis, threat detection	Authentication, authorization, access control
Types of Data	System logs, network traffic, security alerts	User sessions, authentication logs, authorization requests
Mode of Operation	Aggregation and correlation of events from multiple sources	Verification of user identities and permissions
Primary Uses	Anomaly detection, incident response, compliance	Single Sign-On (SSO), identity federation, MFA
Examples of Threats	DDoS attacks, malware, privilege escalation	Brute-force attacks, account takeover, privilege misuse
Response to Threats	Alert generation, automatic blocking, reporting	Account blocking, enforcing MFA, session management
Integration with Other Systems	Yes – collects logs from SIEM systems, IDS, firewalls	Yes – integrates with LDAP, AD, databases, SIEM

How to Implement Keycloak?

Integrating Keycloak with a SIEM system enhances IT security by providing additional information about users and their activities. This allows organizations to detect threats more effectively and respond to incidents more quickly.

If you’re wondering how to implement and configure Keycloak for your organization, be sure to check out these articles:

These resources provide practical guidance on configuring and integrating Keycloak with various systems. Importantly, one of Keycloak’s key features is its ability to integrate with Lightweight Directory Access Protocol (LDAP) directories, which we covered in detail here: Exporting accounts to federated realms: A guide to Keycloak and LDAP Integration

There are many SIEM solutions available on the market, so it’s worth conducting a security audit within your organization before making a decision. Identifying potential vulnerabilities will help guide the selection and implementation of an appropriate incident management system, enhanced with Keycloak integration, to better monitor threats and strengthen data protection across your organization.

Do You Want to Implement Keycloak?

Benefit from our experience. We have completed numerous implementations for SMEs and large organizations. We’d be happy to discuss potential collaboration opportunities.

Schedule a Meeting

Artykuł Security Information and Event Management Systems: Why Is It Worth Adding Keycloak? pochodzi z serwisu Inero Software - Software Consulting.

Keycloak Migration Made Easy: Tips and Best Practices

Marceli Formela — Tue, 28 Jan 2025 12:57:28 +0000

Here we’ll explore the most significant changes introduced in recent Keycloak releases and how they impact migration efforts. We’ll walk through practical examples to resolve common challenges, ensuring a smooth transition to newer versions. Whether it’s adapting to updated configurations or managing deprecated features, this post should provide additional tips to streamline your Keycloak migration process.

Migrating to Quarkus distribution

One of the most challenging migrations for many users has been the upgrade to Keycloak 17, where the underlying architecture shifted from WildFly to the Quarkus framework. This transition marked a significant departure from the traditional application server model, requiring users to adopt a more modern, lightweight approach tailored to Quarkus. The way Keycloak is configured has fundamentally changed – rather than deploying it on an external application server, it now operates as a standalone application, which simplifies deployment.

For example, custom providers, which were previously packaged dynamically as modules for WildFly, now need to be rebuilt and adapted (as runtime is immutable), involving changes to dependencies, classloading, and packaging methods. This design simplifies deployments in environments like Kubernetes but demands a shift in workflows for teams accustomed to the WildFly solutions. While the move to Quarkus offers performance gains and a more modern development experience, it still requires careful planning and testing to ensure a smooth migration.

Key changes introduced in new releases

Migration introduces important changes that impact configuration, endpoints, and custom provider implementations:

HTTPS requirement for production mode – starting Keycloak with the command [keycloak_quarkus_root]/26.1.0/bin/kc.bat start now requires an HTTPS certificate, as the start option is intended for production use. For local development, the start-dev option should be used instead.
removal of /auth from base path – the /auth segment has been removed from the default base path. Applications relying on Keycloak endpoints must update their configurations to reflect this change.
realm ID changes – in previous versions, the realm ID was identical to the realm name. Starting from Keycloak 21, the realm ID is now a unique, system-generated value. Applications relying on realm IDs should account for this change during migration.
deprecation of userLocalStorage – custom providers using the userLocalStorage method of the KeycloakSession interface must switch to the users method, as userLocalStorage was deprecated starting from Keycloak 19.
transport jdbc-ping as new default – in the latest version of Keycloak (26.1.0), the default method for discovering other nodes within a cluster has shifted to using its database, rather than relying on just multicast. This change eliminates the need for additional network configurations, particularly in cloud environments.

Issues with major migrations

When migrating Keycloak, it’s highly recommended to upgrade version by version, rather than jumping several releases at once. This incremental approach allows you to identify and resolve issues as they arise, minimizing the risk of unexpected complications. Upgrading across multiple versions—especially if spanning a dozen or more releases—can significantly complicate the process due to accumulated changes, deprecated features, and architectural shifts like the move to Quarkus. By addressing compatibility and configuration adjustments one step at a time, you ensure better control over the migration and reduce downtime or disruptions in production environments.

However, in many cases, a large one-time migration—such as moving from Keycloak 12 directly to Keycloak 26—is unavoidable and becomes a challenge that teams must address effectively. This process often involves significant changes to both the Keycloak server and dependent applications, particularly frontend clients that rely on its APIs.

In this guide, we’ll outline a practical step-by-step approach to such a major migration.

Dockerfile configuration

In our example project, all custom themes and SPI (Service Provider Interface) extensions were directly copied into the base Keycloak image without a dedicated build process. So it was done in a standard Wildfly way.

FROM quay.io/keycloak/keycloak:12.0.2

COPY themes/custom-theme /opt/jboss/keycloak/themes/custom-theme
COPY api-extensions/target/spi-resource-0.0.1-SNAPSHOT.jar

ENTRYPOINT /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0

The new approach could use a multi-stage process with separate containers like:

FROM eclipse-temurin:17-jdk as spi_builder
[…]
FROM quay.io/keycloak/keycloak:$BASE_IMAGE_TAG as keycloak_builder
[…]
FROM quay.io/keycloak/keycloak:$BASE_IMAGE_TAG

The SPI is built during the container build process using Maven. This approach ensures that the dependencies are fetched and the resulting JAR is optimized for deployment.

### Runtime dependencies build container
FROM registry.access.redhat.com/ubi9 AS runtime_dependencies_builder
RUN mkdir -p /mnt/rootfs

RUN dnf install --installroot /mnt/rootfs curl --releasever 9 --setopt install_weak_deps=false --nodocs -y \
&& dnf --installroot /mnt/rootfs clean all

### SPI build container
FROM eclipse-temurin:17-jdk as spi_builder
ARG BASE_IMAGE_TAG
WORKDIR /workspace/app

COPY api-extensions/mvnw .
COPY api-extensions/.mvn .mvn
COPY api-extensions/pom.xml .

# dos2unix:
RUN sed -i -e 's/\r//g' mvnw
RUN ./mvnw dependency:go-offline
COPY api-extensions/src src
RUN ./mvnw -o package -DskipTests

The new process copies multiple custom themes into the Quarkus-based Keycloak during the build stage, ensuring they are included in the final optimized runtime. So this approach improves startup performance and aligns with immutable container philosophy.

### Build container
FROM quay.io/keycloak/keycloak:$BASE_IMAGE_TAG as keycloak_builder
COPY --from=spi_builder /workspace/app/target/spi-resource-0.0.1-SNAPSHOT-jar-with-dependencies.jar /opt/keycloak/providers/

#Copy custom themes
COPY themes/custom-theme /opt/keycloak/themes/custom-theme

#Build an optimized server runtime
RUN /opt/keycloak/bin/kc.sh build

### Runtime container
FROM quay.io/keycloak/keycloak:$BASE_IMAGE_TAG
COPY --from=keycloak_builder /opt/keycloak/ /opt/keycloak/
WORKDIR /opt/keycloak
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

Basically, by leveraging multi-stage builds and lightweight images, the new process aligns with best practices for containerized deployments. You can find more details about these steps here: https://www.keycloak.org/server/containers.

Default /auth context path changed

With the transition to the Quarkus-based Keycloak distribution, the default context path has been modified—/auth is no longer part of the URL by default. This change aligns with Quarkus’s goal of providing a more streamlined and minimalistic approach to web applications, reducing unnecessary path prefixes.

For users or applications that still require the /auth context path, it can be reintroduced using the http-relative-path build option. For instance, running Keycloak with the following command restores the /auth context:

bin/kc.[sh|bat] start-dev –http-relative-path /auth

Or using a docker-compose way:

KC_HTTP_RELATIVE_PATH: /auth

This allows for compatibility with existing clients or configurations that rely on the /auth prefix. With the relative path specified, Keycloak will still automatically redirect requests from the root (e.g., localhost:8080/) to the /auth path (e.g., localhost:8080/auth). This ensures that applications or users accustomed to the previous URL structure continue to function as expected without requiring major changes.

Changes within provider management

With the shift to the Quarkus-based Keycloak distribution, there are significant changes in how custom providers (SPIs) are deployed and managed. In the WildFly-based distribution, custom providers were deployed by copying them into the standalone/deployments directory, and dependencies were also placed in specific locations within the WildFly server structure. However, in the new Quarkus distribution, this deployment model has been streamlined. Custom providers should now be copied into the /providers directory.

Additionally, Quarkus does not support the EAR packaging format or the jboss-deployment-structure.xml files, which were commonly used in the WildFly distribution to configure deployments and manage dependencies. As a result, the packaging process is simplified, but custom configurations previously made through these files must now be handled differently.

Furthermore, if custom providers utilized JavaEE APIs, such as session or stateless beans, these will no longer be supported in the Quarkus distribution.

Migrating custom themes

Old Keycloak relied on the FreeMarker template engine for rendering dynamic content in themes. This approach is still used in new releases (especially in v1 and v2 themes), but there have been updates to the template syntax and theme structure to align with the new Quarkus architecture. Custom templates may need to be revised to ensure compatibility with newer versions of FreeMarker, as the theme structure may have evolved.

Additionally, certain legacy template functions and macros that were present in, for example Keycloak 12, might have been deprecated or replaced with new, more efficient alternatives.

Custom themes that were previously customized are likely not optimized for dark mode. To avoid complications without having to rewrite them from scratch, the simplest solution is to add the appropriate option darkMode=false in the theme.properties file. Additionally, starting from version 26.1.0, the “Themes” tab now includes switches that allow for enabling dark mode on a per-realm basis.

Making new Keycloak server work with legacy frontend client

checkLoginIframe related issues

In one of our projects, we had to upgrade Keycloak by 14 versions. However, for various reasons, we couldn’t migrate the frontend, which was running on a rather old version of Angular and the keycloak-angular library. Therefore, we will now go through the tweaks we had to apply in order to restore the login process functionality.

Keycloak-angular is a wrapper library for keycloak-js that makes using it easier in Angular applications. It extends the original features with additional functionality and adds new methods to make it easier to use within an Angular app. It also provides a basic implementation of AuthGuard, allowing you to customize your logic by using the authentication logic. It’s also possible to use the HttpClient Interceptor, which adds an authorization header to selected HTTP requests.

"keycloak-angular": "^8.1.0",
"keycloak-js": "^12.0.4",

After integrating the new version of Keycloak (26.1.0) with the old frontend client, we encountered an issue after logging in, which manifested as follows:

This option specifies whether Keycloak should check the login status using an iframe. It should be used with caution, as improper configuration may lead to issues such as continuous page reloads. Newer versions of Keycloak may have improved or changed session management, particularly around cross-site cookies, authentication flows, or iframe handling (setupCheckLoginIframe, check3pCookiesSupported). These changes could affect how the frontend handles login states, especially if it is using deprecated methods for checking login states or processing callbacks.

Given the significant version gap between the frontend and the server, one useful approach might be to disable the setupCheckLoginIframe option, which could also help in situations where infinite redirect loops occur after the upgrade.

Here’s an example of how to disable it in your initialization:

function initializeKeycloak(keycloak: KeycloakService, permissionsService: PermissionsService) 
{
  return () =>
    keycloak.init({

   config: {
     url: environment.keycloakUrl,
     realm: 'test-realm',
     clientId: 'test-realm-web',
   },
   initOptions: {
        checkLoginIframe: false
   }
}).then(() => permissionsService.init());
}

Missing nonce claim

In newer versions of Keycloak, in accordance with the OpenID Connect Core 1.0 specification, the nonce claim is now only added to the ID token if the parameter was included in the authorization request. According to the specification, the nonce claim is mandatory in the ID token but should not be included in tokens after a refresh request. Previously, nonce was added to all tokens (Access, Refresh, and ID) in all responses, including refresh responses.

As a result, using an older version of the keycloak-js adapter may cause login issues, such as “Invalid nonce, clearing token” errors or an infinite redirection loop after login attempts. To resolve this, users can add the predefined “Nonce backwards compatible” mapper via the “By Configuration” button in the dedicated client scope. More information can be found in the official Keycloak documentation (https://www.keycloak.org/docs/latest/upgrading/index.html#nonce-claim-is-only-added-to-the-id-token).

Post-logout redirect URI issues

According to the release notes for version 18, Keycloak no longer supports the redirect_uri parameter for logging out. Instead, you need to use post_logout_redirect_uri along with either the client_id or id_token_hint parameter. In practice, this means when calling the logout function, you must replace redirect_uri with post_logout_redirect_uri. In our case (with legacy keycloak-js), the logout process can be implemented like this:

window.location.replace(this.keycloak['_instance']['endpoints'].logout() +
   '?post_logout_redirect_uri=' + encodeURIComponent(window.location.origin) +
   '&client_id=test-realm-web');

This change should resolve the most common issues with redirects after logging out of the application.

Summary

Over the past few years, Keycloak has undergone significant changes, particularly with the breaking changes introduced during the migration from WildFly to Quarkus. These changes were necessary for performance improvements, more efficient resource usage, and better scalability.

While the migration process can appear challenging, it is generally achievable, even when working with older clients. However, the ease of migration largely depends on the specific use case, especially the level of customization involved. For instance, if themes were highly customized in the previous version of Keycloak, adapting them to newer distributions may require more time and effort, as the structure and templating engines have evolved.

Similarly, integrations with legacy systems might need careful planning to ensure compatibility with newer versions of Keycloak. On the other hand, for standard setups with minimal customization, the transition is often smoother and quicker. The process of migration can also be supported by detailed documentation and a strong community, which has grown significantly in recent years.

Overall, while each migration project has its own challenges, with proper planning and testing, transitioning to a newer version of Keycloak is generally not so complicated, and the long-term benefits of the upgrade, such as improved performance and security features, make it worth the effort.

Are you planning to implement Keycloak in your organization?

If you're looking for a partner to provide comprehensive support in this process, be sure to contact us.

Schedule a conversation

Artykuł Keycloak Migration Made Easy: Tips and Best Practices pochodzi z serwisu Inero Software - Software Consulting.

Keycloak Integration Guide: Enabling Social Login with Multiple Platforms like Google

Marceli Formela — Wed, 11 Sep 2024 12:52:22 +0000

Last time we saw how to implement custom Keycloak themes and i.e. how it helps to prevent phishing attacks. In this guide, we’ll focus on how to enable social login using Keycloak, with a step-by-step approach to integrating platforms such as Google. Whether you’re looking to simplify authentication or enhance security, this guide will walk you through the essential steps to configure and manage social login in your application.

How does it work

The general idea of social login works is pretty straightforward as a concept: when users access our application, they can choose a social network provider, such as Google or Facebook, for authentication instead of manually defining login and passwords. Then the application sends a login request to the selected platform and once the social network confirms the user’s identity, the user is granted access to the application and is logged in immediately.

The user, who is not yet authenticated, tries to access a protected resource in a client application. Application redirects the browser to Keycloak which acts as the Identity Broker. and then redirects again to one of the Identity Providers.
A login page is presented with a list of available identity providers (such as Google, Facebook, etc.) based on the realm’s configuration.
The user selects an identity provider and then is redirected to the login page of the selected one, where they can provide their credentials. The identity provider’s setup, including connection properties, has already been configured by the admin via the admin console.
Upon successful authentication, the user is redirected back to Keycloak with an authentication response which eventually leads to retrieval of the access token.
Keycloak verifies the identity and creates a new user or skips this step if the user already exists.
Once Keycloak successfully authenticates the user, it issues its own token to allow access to the protected resource and redirects the user back to the client application.

Key benefits

Users can sign up and access your application in just a few clicks. Applications could use the profile data instead of having users manually enter this information into forms. This can potentially speed up and streamline the registration process.
Social login reduces the risk of weak password and offers enhanced security features like multi-factor authentication (MFA).
In many applications, users often don’t keep their profiles up-to-date. However, they typically ensure their information is current on their social network. So after implementing social login, we can assume that the user data we collected is reliable, as it pulls information directly from their frequently updated social profiles.
Social network providers often offer additional user data, such as location, interests and other beyond just basic profile information. By using this we can deliver personalized content to users more effectively. This allows for more targeted interactions and content recommendations.
The social network provider is often responsible for verifying the user’s email address. If the provider shares this information, you receive a valid email address rather than potentially fake ones that users might use when registering on web applications. Furthermore, the provider also manages the password recovery process, reducing the need for your application to handle these aspects, which simplifies user management.

The numbers generally show an improvement in conversion, and in some cases, very significant increases. In an article prepared by the Auth0 marketing team, it is stated that social login can increase registration rates by up to 50%*.

Our experience with the development of DocsQuality allows us to believe in the validity of these assumptions. After implementing social media login, we observed a several-fold increase in the number of new users.

Potential drawbacks

When considering social login methods in Keycloak, it’s important to weigh their potential drawbacks, which have led to a noticeable decline in their use recently. Here are some key concerns:

Although relatively rare, there’s a risk that a social login could become a single point of failure. If a user’s social media credentials are compromised, it could potentially give hackers access to your platform and any associated accounts.
Users often worry about how social media platforms handle their data. This concern can make them reluctant to grant additional apps access to their information, leading to decreased adoption of social login features.
Social login protocols like OpenID Connect are open and interoperable but can be challenging to implement. Even experienced developers may find integrating these standards into their applications time-consuming and complex.

To address security concerns, it’s important to promote good social media security practices among users. Encouraging strong, unique passwords and two-factor authentication for social media accounts can help mitigate these risks and enhance the security of social login methods. Fortunately, this last one is largely addressed by Keycloak, which simplifies the implementation of these protocols. Therefore, in our example, we’ll focus on utilizing Keycloak to streamline the social login process.

Adding social login

For this example, we will use the application we prepared in the previous blog post where we customize the themes. The initial view looks like this:

Now you can log in to one of the identity provider consoles, like GitHub in this case.

Navigate to Settings -> Developer settings -> OAuth Apps. Click New OAuth App and fill out the necessary information:

Application Name
Homepage URL
Authorization callback URL

The last one should be in the format /auth/realms//broker/github/endpoint. For testing purposes, we will try to do just local setup using 4200 and 8080 ports. Once the form is completed, click Register Application. GitHub will generate a Client ID and Client Secret.

Now go to the Keycloak admin console. In the realm, navigate to Identity Providers from the left menu. From the Add provider dropdown, select GitHub.

Paste the Client ID and Client Secret you received from GitHub. If needed, select additional options, such as storing the tokens issued by the provider (for example, for making further calls to resources that accept this token), automatically verifying email addresses, or initiating a specific authentication flow after successful login. After enabling the social provider in the console, the login page should look like this:

After clicking the GitHub button we should see a standard OAuth authorization request (this way social providers like GitHub can mark this app as a verified one and automatically allow your further login attempts).

After approving the authorization, we should be redirected to the application.

Conclusion

We walked through the entire process of registering an identity provider in Keycloak, and as you can see, it is quite simple. It’s also a great starting point for further learning OAuth protocol features, handling custom identity providers or providing Single Sign-On (SSO) solutions, which we will possibly explore in the next posts.

This approach not only simplifies the registration process and enhances security but also provides a consistent and manageable way to connect with various platforms. Although each provider may have specific configuration nuances, the overall setup process remains straightforward and largely similar across different websites. By reducing the barriers to entry for users and handling authentication efficiently and in a modern way, Keycloak enables a smoother and more secure user experience.

Artykuł Keycloak Integration Guide: Enabling Social Login with Multiple Platforms like Google pochodzi z serwisu Inero Software - Software Consulting.