Recent Blog Posts
Understanding PKCE in OAuth 2.0: What, Why, and When to Use It
In this video, I break down PKCE (Proof Key for Code Exchange), a crucial enhancement to the OAuth 2.0 Authorization Code Grant. Learn how PKCE works, why it was introduced, and when it’s essential to ensure secure communication between your app and authorization server.
Read more »KEYCLOAK Persistent User Sessions
Up to Keycloak v25 user sessions where only held in memory, which was a bit annoying when you had to restart the whole Keycloak cluster, because all the sessions were gone then and users had to re-authenticate. Struggling with an external Infinispan cluster was also not always the best option.
Read more »KEYCLOAK Declarative User Profile
Working with custom user attributes was in past Keycloak versions sometimes a bit cumbersome and difficult. Mostly, you were just able to have a field during registration or not, but the default account console didn’t show custom fields at all. This has changed with the declarative user profile, which has been introduced with Keycloak 24.x (before, it was already available as a preview feature with limited functionality).
Read more »KEYCLOAK Transient Users
When working in Keycloak with external Identity Providers (no matter if social or not), Keycloak stores by default the authenticated user locally in its database. This might become problematic in terms of data minimization and data privacy control in context of GDPR or similar data protection laws. Removing stale users automatically from Keycloak is not possible out-of-the box and can become cumbersome.
Read more »KEYCLOAK Organizations and Multi-Tenancy in one Realm
With the new Organizations feature in Keycloak, it’s now possible to manage organizations within only one realm of Keycloak. Organizations can be e.g. some B2B structures, B2B2C approaches, or simple multitenancy how you need and like it. You can assign users to one or multiple organizations and also organization specific IdentityProviders so that users are automatically forwarded to their IdPs for authenticaton.
Read more »All Blog Posts / Archive
Read all of my blog posts, find them either by tag or chronological: