What is Keycloak and why does it need hardening?

Keycloak is an open-source identity provider (IAM) for SSO, OAuth 2.0 and OpenID Connect. Hardening is critical because Keycloak is the central authentication gatekeeper — one vulnerability compromises all connected applications.

How do I enable MFA in Keycloak?

In Keycloak Admin Console: Authentication > Flows > Browser > set OTP Form to Required. For conditional MFA: clone the Browser flow and add Conditional OTP Form with condition (role, IP range). TOTP (Google Authenticator) and WebAuthn are supported.

How do I protect Keycloak against brute force?

Realm Settings > Security Defenses > enable Brute Force Detection: Max Login Failures = 5, Wait Increment = 60s, Max Wait = 900s. Also: nginx rate limiting in front of Keycloak, fail2ban for login endpoints, never expose Admin Console publicly.

How do I secure Keycloak in production?

Production checklist: enforce HTTPS with TLS 1.3, restrict Admin Console to internal network, use PostgreSQL backend instead of H2, clustering with Infinispan for HA, regular realm backups, enable audit logging, automate update process.

Identity & Access Management 2026

Keycloak Hardening

Enterprise IAM Security

SSO, MFA, brute-force protection, session management & GDPR compliance. Protect your identity provider.

OAuth 2.0OpenID ConnectSAML 2.0LDAP/AD

Why Keycloak Hardening?

Keycloak is the central Identity Provider (IdP) for your organization. A compromised Keycloak enables access to ALL connected services. IAM security is critical for Zero Trust.

⚠️ Risks of an Unsecure IAM

• Single point of failure for all services
• Lateral movement to all connected apps
• Data breach of all user data
• GDPR violations (PII in tokens)
• Compliance audit failures (SOC 2, ISO 27001)

Multi-Factor Authentication

📱

TOTP

Google/Microsoft Authenticator

🔑

WebAuthn

YubiKey/FIDO2

📧

OTP Email

Email-based (fallback)

MFA Flow Configuration (Realm Settings)

# Authentication Flow: Browser → Conditional OTP
1. Cookie
2. Kerberos (optional)
3. Identity Provider Redirector
4. Forms
   └── Username/Password Form
   └── Conditional OTP
       └── Condition - User Configured
           └── OTP Form (if configured)
           └── WebAuthn (if registered)

# Required Actions for new users:
- Verify Email
- Update Profile
- Configure OTP (TOTP)
- WebAuthn Register

Brute-Force Protection

Security Defenses

Login-Failures

• Max 5 failed attempts per IP
• 15-minute temporary lockout
• Exponential backoff
• CAPTCHA after 3 failures

Account Lockout

• Permanent lock after 10 failures
• Admin unlock required
• Email notification to user
• Audit log entry

Docker Compose with Security Settings

services:
  keycloak:
    image: quay.io/keycloak/keycloak:25.0
    command: start --optimized
    environment:
      # Brute Force Protection
      - KC_SPI_LOGIN_FAILURE_FACTORY_MAX_FAILURES=5
      - KC_SPI_LOGIN_FAILURE_FACTORY_WAIT_INCREMENT_SECONDS=900
      - KC_SPI_LOGIN_FAILURE_FACTORY_MAX_WAIT_SECONDS=900
      - KC_SPI_LOGIN_FAILURE_FACTORY_FAILURE_RESET_TIME_SECONDS=43200
      
      # Session Settings
      - KC_SPI_SESSION_MAX_LIFESPAN=36000
      - KC_SPI_SESSION_IDLE_TIMEOUT=1800
      - KC_SPI_REMEMBER_ME=true
      
      # Password Policy
      - KC_PASSWORD_POLICY="length(12) and upperCase(1) and lowerCase(1) and digits(1) and specialChars(1) and notUsername(undefined) and notEmail(undefined)"
      
      # Security Headers
      - KC_HTTP_ENABLED=false
      - KC_HOSTNAME_STRICT=true
      - KC_HOSTNAME_STRICT_HTTPS=true
      
      # SSL/TLS
      - KC_HTTPS_CERTIFICATE_FILE=/certs/tls.crt
      - KC_HTTPS_CERTIFICATE_KEY_FILE=/certs/tls.key

Session & Token Management

SSO Session Settings

SSO Session Idle:30 Minuten

SSO Session Max:10 Stunden

Offline Session Idle:7 Tage

Token Settings

Access Token:5 Minuten

Refresh Token:30 Tage

ID Token:5 Minuten

Revoke Refresh:✓ Enabled

Client Security Configuration

OIDC Client Settings

# Client Authentication Client Authenticator: Client ID and Secret (or Signed JWT) Client Secret: [Strong Random Secret] # Authorization Standard Flow Enabled: ✓ Implicit Flow Enabled: ✗ (deprecated) Direct Access Grants Enabled: ✗ (for public clients) OIDC CIBA Grant Enabled: ✗ # Security Settings Valid Redirect URIs: https://app.company.com/* (exact match!) Valid Post Logout Redirect URIs: https://company.com/logout Web Origins: https://app.company.com # Advanced Settings Proof Key for Code Exchange Code Challenge Method: S256 Access Token Signature Algorithm: ES256 (or RS256) ID Token Signature Algorithm: ES256

Public vs Confidential Clients

Confidential (Backend)

• Client Secret required
• Authorization Code Flow
• PKCE optional but recommended
• Refresh tokens allowed

Public (SPA/Mobile)

• No client secret
• PKCE REQUIRED
• Authorization Code Flow
• Short refresh tokens

GDPR & Compliance

GDPR Features

✓User Data Export (JSON)
✓Account Deletion (Right to be Forgotten)
✓Consent Management
✓Minimal PII in Tokens
✓Audit Logging

Compliance Mapping

SOC 2:

CC6.1 (Access Control), CC7.2 (Monitoring)

ISO 27001:

A.9.1 (Access Policy), A.9.2 (User Registration)

NIST:

IA-2 (Identification), AC-2 (Account Management)

Event Logging Configuration

# Events to log (Admin → Realm Settings → Events)
Enabled Event Types:
- LOGIN
- LOGIN_ERROR
- LOGOUT
- REGISTER
- UPDATE_EMAIL
- UPDATE_PASSWORD
- UPDATE_PROFILE
- DELETE_ACCOUNT
- GRANT_CONSENT
- UPDATE_CONSENT
- REVOKE_GRANT
- REFRESH_TOKEN
- CLIENT_LOGIN

# Event Storage: JPA or External (Syslog/Fluentd)
# Retention: 90 days minimum for compliance

Keycloak Hardening Checklist

Authentication

☐MFA enforced for all users

☐WebAuthn/FIDO2 configured

☐Brute-force protection enabled

☐Password policy (12+ chars)

☐No default credentials

☐Admin 2FA mandatory

Infrastructure

☐HTTPS/TLS 1.3 only

☐Reverse proxy (nginx/traefik)

☐Database encrypted (at rest)

☐Backup & DR tested

☐Cluster mode (HA)

☐Monitoring/Alerting

Keycloak Security Assessment

Check your Keycloak configuration for security vulnerabilities.

Start Assessment