KeycloakCon Japan 2025

Location:
Level 1 (across from elevators)

Please note we are unable to store any items overnight and cameras, laptop equipment or any other electronic devices cannot be stored in the cloakroom at any time.

In this talk, Marek will introduce the Keycloak project. He will talk about the history of the Keycloak, use of Keycloak and how can be Keycloak used to secure your applications. Marek will show the simple demo how to secure your application with Keycloak.

In this talk, Takashi investigates the possibility of integrating Keycloak with AI agents.
In the field of AI agents, Model Context Protocol (MCP) becomes a hot topic, which makes it easy for an AI agent/tool to connect internal/external services.

When an AI agent/tool implementing an MCP client accesses a remote external service implementing an MCP server, end user authentication and authorization is sometimes required. According to the MCP specification, OAuth 2.1 needs to be used for that, which implies that there is the possibility of using Keycloak for end user authentication and authorization because Keycloak supported OAuth 2.1.

Firstly, Takashi talks about MCP briefly and describes end user authentication and authorization of MCP in more detail. After that, the speaker shows the possible system configuration that includes Keycloak as a part of the MCP server.

In this keynote session, Michito Okai will explain how Hitachi uses Keycloak for real business. Keycloak has a wide range of functions, complies with various standard specifications, and has good performance. Therefore, Keycloak can solve the requirements of various industries such as banking, insurance, and the public sector and so on. In fact, Hitachi has realized a variety of use cases in real business to solve customer requirements by making full utilization of Keycloak.

Also, to make full utilization of Keycloak in real business, Hitachi has been working on community activities. For example, based on requirements from customers, Hitachi added new functions and made Keycloak compliant with standard specifications.

Keycloakify is an open-source tool that simplifies theming in Keycloak by enabling the use of modern frameworks like React, Angular, and Svelte.

It supports customization of login, account, admin, and email interfaces, with real-time previews and standard frontend tooling.

In this session, we’ll walk through how it works, how it’s used in production environments, and how it compares to Keycloak’s built-in theming system.

If you are tired of browser-based authentication, which relies on the traditional redirect model or browser pop-ups in native app scenarios, a proposed standard called OAuth 2.0 for First-Party Applications offers an alternative. This specification introduces an API-based authentication approach, allowing first-party apps to control the login experience based on information returned by the Identity Provider.

As a result, friction can be reduced, and potential user drop-off minimized, enhancing the overall user experience. Additionally, with Passkeys, both UX and security are further improved thanks to their phishing-resistant authentication, where the user can perform user verification (UV) using methods such as Face ID, Touch ID, or a PIN.

The purpose of this presentation is to review the specs and provide an overview of its benefits.

In this session, we will explain how we standardized and streamlined authentication flows to address the growing workload faced by engineers due to the rapid increase in authentication services.

To tackle the challenging task of building individual authentication flows for over 100 services, we adopted an implementation approach that defines authorization levels using role information and leverages attribute data stored in Keycloak.

By accurately linking user information with imported role data and standardizing authentication flows, we enabled faster updates to authorization systems. Additionally, we implemented centralized policy management for each client using OPA (Open Policy Agent) and policy language, significantly improving maintenance efficiency.

This session will provide practical and scalable design strategies and implementation methods for building robust systems that address au

We have launched a new service which monitors customers' systems.
It uses Keycloak to authenticate for customers and developers to use our service components, for instance, Grafana, ArgoCD, Backstage, Redmine, and so on.

So, Keycloak has personal information, and we have to manage it securely.
We're using Terraform to configure Keycloak, not for making mistakes due to creating by hand. And we don't want to encounter errors when running Terraform code from the developer's PC.
So we're running it from the CD agent. We use Cloud Build, a Google Cloud product, because it provides a private pool that allows us to use a specific IP address.

We'll introduce how to build this CD system and how to use Terraform in my session.

As organizations undergo digital transformation and adopt zero-trust security models, traditional role-based access control (RBAC) is becoming insufficient.
The new, volatile landscapes we face necessitate precise and context-based authorizations—thus the advent of attribute-based access control (ABAC) is here!This session will take IAM professionals through the real journey from RBAC to ABAC using Keycloak. We will highlight that it is possible to utilize an approach that eliminates static roles and also place policies on user attributes, resource exceptionalities, times, locations, etc. Participants will see real-world scenarios—like prohibiting financial transactions elevated by the age of an accounting account, or only allowing access to healthcare records when an active shift is scheduled—and how to design, deploy, and govern access control policies programmatically and at scale.The session will substantiate my experiences with building access control policies by addressing common struggles we all share—policy complexity, policy performance, etc.—and demonstrate how to extend Keycloak's policy authority into external policy engines for advanced policing. It aims to provide useful operational strategies and tested patterns for those either modernizing legacy technologies or creating cloud-centric applications to deliver compliant and secure access control.

Securing a single application with Keycloak and OIDC/OAuth 2.0 is straightforward, but what about complex microservice architectures, especially those incorporating AI capabilities? This session explores advanced patterns and best practices for leveraging Keycloak within distributed systems built with a specific focus on securing AI applications. We'll go beyond basic authentication and RBAC to implement fine-grained authorization for accessing and utilizing AI models using Keycloak Authorization Services. Topics include efficient token propagation between services (including those hosting AI models), securing service-to-service communication, handling multi-tenancy considerations for AI services, and integrating custom Keycloak policies to control access to sensitive AI functionalities and data. Learn how to build scalable, maintainable, and highly secure microservice ecosystems, including those leveraging AI, powered by Quarkus, Langchain4j, and Keycloak.

OpenID Federation 1.0 provides a framework to build trust between a Relying Party and an OpenID Provider that have no direct relationship so that the Relying Party can send OIDC/OAuth requests to the OpenID Provider without being previously registered.

One primary use case is the trust between an Issuer and a Holder (Wallet) on W3C’s Verifiable Credential Data Model, which is getting a lot of attentions as an approach to realize the Digital Identity Wallet ecosystem.
Especially when high assurance level is needed like EU Digital Identity Wallet, OpenID Federation can provide a strong solution.

In this session:
Firstly I will explain OpenID Federation and the reason why it is important for Digital Identity Wallet ecosystem.
Then I will explain what types of roles Keycloak can play with OpenID Federation Trust Chain.
Also I will show a simple demo of client registration with OpenID Federation Trust Chain on Keycloak.