Recent Blog Posts
Passwordless Authentication with Passkeys in KEYCLOAK
It has been possible for a quite long time to authenticate with FIDO2/WebAuthn in Keycloak. But the user experience (UX) was very bad, as the user had to click several buttons and also had to enter a username.
Read more »MFA via Email & SMS is NO proper MFA!!!
In this video I’ll explain you, why your desired MFA option through email and/or SMS text messages is NO proper multifactor-authentication !
Read more »Keycloak DevDay 2026 Announcement and Call-for-Papers
We (Niko and Sebastian) are excited to announce the next edition of Keycloak DevDay! DevDay is expanding to a 2-day event taking place again in Darmstadt, Germany on March 5th and 6th, 2026.
Read more »Understanding PKCE in OAuth 2.0: What, Why, and When to Use It
In this video, I break down PKCE (Proof Key for Code Exchange), a crucial enhancement to the OAuth 2.0 Authorization Code Grant. Learn how PKCE works, why it was introduced, and when it’s essential to ensure secure communication between your app and authorization server.
Read more »KEYCLOAK Persistent User Sessions
Up to Keycloak v25 user sessions where only held in memory, which was a bit annoying when you had to restart the whole Keycloak cluster, because all the sessions were gone then and users had to re-authenticate. Struggling with an external Infinispan cluster was also not always the best option.
Read more »All Blog Posts / Archive
Read all of my blog posts, find them either by tag or chronological: