KeycloakCon Japan 2025

If you are tired of browser-based authentication, which relies on the traditional redirect model or browser pop-ups in native app scenarios, a proposed standard called OAuth 2.0 for First-Party Applications offers an alternative. This specification introduces an API-based authentication approach, allowing first-party apps to control the login experience based on information returned by the Identity Provider.

As a result, friction can be reduced, and potential user drop-off minimized, enhancing the overall user experience. Additionally, with Passkeys, both UX and security are further improved thanks to their phishing-resistant authentication, where the user can perform user verification (UV) using methods such as Face ID, Touch ID, or a PIN.

The purpose of this presentation is to review the specs and provide an overview of its benefits.

As organizations undergo digital transformation and adopt zero-trust security models, traditional role-based access control (RBAC) is becoming insufficient.
The new, volatile landscapes we face necessitate precise and context-based authorizations—thus the advent of attribute-based access control (ABAC) is here!This session will take IAM professionals through the real journey from RBAC to ABAC using Keycloak. We will highlight that it is possible to utilize an approach that eliminates static roles and also place policies on user attributes, resource exceptionalities, times, locations, etc. Participants will see real-world scenarios—like prohibiting financial transactions elevated by the age of an accounting account, or only allowing access to healthcare records when an active shift is scheduled—and how to design, deploy, and govern access control policies programmatically and at scale.The session will substantiate my experiences with building access control policies by addressing common struggles we all share—policy complexity, policy performance, etc.—and demonstrate how to extend Keycloak's policy authority into external policy engines for advanced policing. It aims to provide useful operational strategies and tested patterns for those either modernizing legacy technologies or creating cloud-centric applications to deliver compliant and secure access control.

OpenID Federation 1.0 provides a framework to build trust between a Relying Party and an OpenID Provider that have no direct relationship so that the Relying Party can send OIDC/OAuth requests to the OpenID Provider without being previously registered.

One primary use case is the trust between an Issuer and a Holder (Wallet) on W3C’s Verifiable Credential Data Model, which is getting a lot of attentions as an approach to realize the Digital Identity Wallet ecosystem.
Especially when high assurance level is needed like EU Digital Identity Wallet, OpenID Federation can provide a strong solution.

In this session:
Firstly I will explain OpenID Federation and the reason why it is important for Digital Identity Wallet ecosystem.
Then I will explain what types of roles Keycloak can play with OpenID Federation Trust Chain.
Also I will show a simple demo of client registration with OpenID Federation Trust Chain on Keycloak.