Recent Blog Posts
Keycloak DevDay 2026 Announcement and Call-for-Papers
We (Niko and Sebastian) are excited to announce the next edition of Keycloak DevDay! DevDay is expanding to a 2-day event taking place again in Darmstadt, Germany on March 5th and 6th, 2026.
Read more »Understanding PKCE in OAuth 2.0: What, Why, and When to Use It
In this video, I break down PKCE (Proof Key for Code Exchange), a crucial enhancement to the OAuth 2.0 Authorization Code Grant. Learn how PKCE works, why it was introduced, and when it’s essential to ensure secure communication between your app and authorization server.
Read more »KEYCLOAK Persistent User Sessions
Up to Keycloak v25 user sessions where only held in memory, which was a bit annoying when you had to restart the whole Keycloak cluster, because all the sessions were gone then and users had to re-authenticate. Struggling with an external Infinispan cluster was also not always the best option.
Read more »KEYCLOAK Declarative User Profile
Working with custom user attributes was in past Keycloak versions sometimes a bit cumbersome and difficult. Mostly, you were just able to have a field during registration or not, but the default account console didn’t show custom fields at all. This has changed with the declarative user profile, which has been introduced with Keycloak 24.x (before, it was already available as a preview feature with limited functionality).
Read more »KEYCLOAK Transient Users
When working in Keycloak with external Identity Providers (no matter if social or not), Keycloak stores by default the authenticated user locally in its database. This might become problematic in terms of data minimization and data privacy control in context of GDPR or similar data protection laws. Removing stale users automatically from Keycloak is not possible out-of-the box and can become cumbersome.
Read more »All Blog Posts / Archive
Read all of my blog posts, find them either by tag or chronological: