Are you correctly authenticated ?

UMA 2.0 from the begining : how to use it with bash

UMA 2.0 is known as a delegation of authorizations standard. Keycloak is fully compatible with UMA 2.0.

With a bash tool developped by, let's see how to use UMA 2.0

This article explains what is UMA 2.0 with an example using our new bash tool :

Posted on Fr 13 August 2021

Device code flow in Keycloak

Keycloak 13.0 now supports device code flow. Lets take a tour of how to use it.

Posted on Thr 06 May 2021

Action token for external user file download management

Action tokens are a particular type of token that allows unauthenticated users to perform some limited and predefined actions.

In this article we will see how to use them to create authenticated download links with a simple and short PHP script intended to run on shared web hosting.

Posted on Fri 09 April 2021

Authentication - feel the user experience

There are several methods for authentication : certificates, passwords, pincode, webauthn, One Time Password...

Choosing an authentication method is not a technical choice : it has hudge impacts on security but also on User eXperience.

This article shows several demos, built with Keycloak, and let you have a perception of User eXperience for each authentication method.

Posted on Fri 02 April 2021

Action token, an idea for newsletter authentication

Action tokens are a particular type of token that allows unauthenticated users to perform some limited and predefined actions.

Usual use case are :

  • E-mail confirmation
  • Credentials reset
  • Execute required action(s)
  • and any action relevant with the flow and your use cases...

This article explains what is an action token and how to use it to authenticate users from a link inside a newsletter

Posted on Fri 08 January 2021

Keycloak.X as a service

A year ago, Keycloak Team introduced Keycloak.X distribution :

We were very excited about this project :

  • Lighter
  • Easier to scale
  • Continuous delivery
  • and more...

Now, our infrastructure has migrated to Keycloak.X. Any (free) account on our plateform is now running on Keycloak.X distribution.

Posted on Mon 22 December 2020

LDAP integration on Keycloak

A link between an LDAP directory to Keycloak could be considered as a "must have". Many times, companies want to connect their directory to a Keycloak. Keycloak could be considered as an "OpenId Connect proxy" between webapps and an Active Directory.

Keycloak can retrieve users from LDAP, synchronize groups, roles or custom attributes. Let's have a complete tour of what you can do with this connector.

Posted on Mon 27 September 2020


Authorization code grant (also named "auth_code") is one of the most popular authentication method on the web. Every oauth2 provider implements this flow which is the best for web authentication. Facebook, Google, Twitter, Linkedin... all of them use it (or partially, we will explain why).

Posted on Wed 02 July 2020

(fr) Autoriser les accès à mon API à des services tiers

Autoriser les accès à mon API à des services tiers :

  • définir des rôles par pattern d'API (Java Spring)
  • attribuer des rôles aux utilisateurs
  • définir des scopes : données et rôles associés
  • exposer votre API : donner un Client au développeur
  • le consentement de l'utilisateur "Consent Screen"
  • la révocation du consentement utilisateur
Créez un compte utilisateur pour suivre les démos (email optionnel) :
Une seconde implémentation, par un client externe :
serveur oauth :
realmid : 122aa842-0cf0-48e6-a5bc-cca00254a9bb

Posted on Wed 23 April 2020

OpenVPN and Keycloak : Link your VPN Infrastructure with your SSO

OpenVPN allows usage of PAM modules. By using an oauth2 client PAM module and password grant, we can use our own SSO (Keycloak) to authenticate users on a VPN infrastructure.
For Oauth2 providers which do not allow Password Grant, we will use a "token authentication" by providing a valid token instead of a password. Code and demo with Google as authentication provider.

Posted on Thu 2 April 2020

(fr) Oauth2 pour les ops

Oauth2 dans le monde des ops :

  • mise en place d'un realm keycloak : clients, flows, rôles
  • intégration sur des apps avec support oauth2 : démo avec Grafana
  • Ajouter un support oauth2 sur une app : proxy d'authentification en LUA avec Nginx pour jenkins (authentification par headers)
  • Proxy d'authentification en LUA avec vérification des droits (introspection) pour la mise à disposition de fichiers
  • authentification SSH/SFTP utilisant Direct Access Grant et un module PAM
  • Aller plus loin : Mappers dans Keycloak, comment personnaliser les infos et les tokens

Posted on Wed 25 March 2020

Let's Get In Touch!

Any question ? Want more information ? Follow us on twitter or you can reach out to us via email.