Security Diaries of an Open Source IAM

Transcript

1. Security Diaries of an Open Source IAM Alexander Schwartz |

   Keycloak Maintainer OWASP Meetup Frankfurt/Main (DE) | 2025-12-02 Slides:
2. None

3. Keycloak is an Open Source Identity und Access Management System

   🎂 First Commit 2013-07-02 🏆 Cloud Native Computing Foundation Incubating project since April 2023 📜 Apache License, Version 2.0 ⭐ 31k GitHub stars

4. Unique selling proposition of an Open Source Identity and Access

   Management 🏍 Walk away from your current provider (BATNA) 🕵 Know what happens to your data (CLOUD act)
5. None

6. Keycloak standalone Login Request Verify token < Token > API

   Cloud Services

7. Integrating with other Identity Providers SAML OpenID Connect OAuth 2.0

   SAML OpenID Connect OAuth 2.0

8. Keycloak first contact

9. 🗓 2025 Security Diary of an Open Source IAM 4

   feature releases per year, each one adding and improving it: • Simpler to run • Better for your applications • Keeping your users’ identities safer • Hardened security features • Vulnerability management and bug bounty

10. Simpler to run = better security

11. Simpler to run • Monitoring guide with SLOs and Grafana

    dashboard • Troubleshooting with OpenTelemetry Tracing • Clustering that works in all environments and encrypts traffic by default • Rolling updates for patch releases • Network policies on Kubernetes • SAML metadata descriptors
12. None
13. None
14. None

15. Better for applications = less re-inventing the wheel for developers

16. Better for your applications • Trusted email verification: Re-use information

    when brokering with other identity providers • Application initiated action to verify email addresses: Trigger an email verification when your application needs it • Federated client authentication: Never roll out client credentials manually again

17. Kubernetes Service Account Token to authenticate Clients apiVersion: v1 kind:

    Pod ... spec: serviceAccountName: <serviceaccount> ... volumes: - name: aud-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: https://example.com:8443/realms/test expirationSeconds: 600 path: my-aud-token https://www.keycloak.org/docs/nightly/server_admin/index.html#_identity_broker_kubernetes

18. Keeping your users’ identities safer = reduce the risk of

    an account takeover

19. Keeping your users’ identities safer • Passkeys with conditional UI

    for passwordless and phishing-resistant authentication • MFA with OTPs and recovery codes as a backup to access your apps when you lose your phone • Self-managed account details, update email flow, OIDC-compliant self-registration, …

20. Passkeys with conditional UI Migrate your users seamless towards Passkeys

    by keeping the flow. Trick question: How many Passkeys does one user need?

21. MFA with OTPs and recovery codes Migrate your users seamless

    towards Passkeys by keeping the flow

22. Account console

23. Hardened security features = Reduced attack surface

24. Hardened security features • FAPI 2.0 with security best practices

    (DPoP, PAR, mTLS) • OAuth 2.1 security profile (draft) • Standard token exchange • Authorization Grants (wip) Trust relationship with external IdPs and STS services

25. FAPI 2.0 Security Profile with security best practices • TLS

    1.2 or later, DNSSEC, TLS certificate check, secure ciphers, STS • PKCE w/ S256 enforced, no resource owner password grant, no public clients, all endpoints secured w/ TLS • PAR: Pushed Authorization request, where all parameters are sent to the server and are not visible to the client • DPoP: Include a proof of a private key in with each token, and bind it to the URL plus a server provided nonce. • MTLS constrained sender tokens where client ID matches certificate subject and is bound to the certificate hash

26. DPoP for public clients (outside of FAPI) Sender constrained tokens

    in web browsers: • Create an ephemeral key-pair in the browser • Use WebCrypto API to keep it safe • Use PKCE or DPoP to keep the authorization code safe • Use DPoP only for refresh tokens when your IdP supports it • Use DPoP also for access tokens when your target clients support it

27. Standard token exchange Fix audience, scopes, claims, ... https://www.keycloak.org/securing-apps/token-exchange

28. Authorization Grants (wip) Trust relationship with external IdPs and STS

    services https://github.com/keycloak/keycloak/issues/43152

29. Vulnerability management and bug bounty = handle things when they

    go bad

30. Not only security team work • Triaging bugs (14 day

    SLA) • Responses to security reports (7 days SLA) • Scanning w/ Trivy, CodeQL, dependabot, … • Bug bounty on YesWeHack
31. None
32. None

33. Access Token IDs have less than 128 bits of entropy

    “UUID.randomUUID() is used to generate values like authorization codes and token identifiers. While this produces 128-bit UUIDs, only ~122 bits are truly random, as 6 bits are fixed by the UUID specification (version and variant fields).” https://github.com/keycloak/keycloak/issues/38663

34. CVE-2025-10939: Unable to restrict access to the admin console “The

    Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. [...] it can be tricked to using relative/non-normalized paths…” => We disabled path normalization in Keycloak

35. “... an attacker with a registered account can initiate the

    process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account.” CVE-2025-7365: Phishing attack via email verification step
36. None

37. 2025 is great to host 󰭈 your own SSO/IAM/IdP. Let’s

    bring Keycloak to the community 📣 !

38. Case Studies https://www.keycloak.org/case-studies Hitachi Ltd. used Keycloak to make financial

    grade security easier OpenTalk achieves versatile and compliant user authentication with Keycloak BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak

39. • Keycloak https://www.keycloak.org/ • Case Studies https://www.keycloak.org/case-studies • Keycloak @

    FOSDEM https://www.keycloak.org/2025/11/preparing-fosdem-2026 Links Slides:

40. Alexander Schwartz Keycloak Maintainer [email protected] https://www.ahus1.de @ahus1.de @[email protected] Kontakt