New videos about OpenID Connect and Keycloak from FOSDEM 2025

Abstract: OAuth 2.0 uses access tokens to grant access to secured resources. When using Single Page Applications, they are passed from browsers to the servers as bearer tokens using HTTP headers.

While they are secured in transit using TLS, those tokens could be stolen from a browser, replayed, or mis-used by a malicious or vulnerable server. OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) takes this one step further by equipping the client like your Single Page Application with a key pair so that it can show a proof when passing the access token, so no-one else can use the access token. DPoP is part of the FAPI 2.0 Security Profile by the OpenID Foundation. It promotes best practices on how to protect APIs exposing high-value and sensitive (personal and other) data, for example, in finance, e-health and e-government applications.

This talk will explain the concepts and demos how this can be implemented using Keycloak and other open source components. We will also describe the current challenges, limitations and alternatives of the approach.

Abstract: Modern web applications strongly rely on Authentication/Authorization infrastructures. To address these needs, the OSS community has strongly endorsed open protocols such as OpenIdConnect and OAuth2, on top of JSON and REST. In turn, these protocols have been implemented in software products such as Keycloak, WSO2 or Lemonldap.

OpenId Connect and OAuth2 are authorization protocols, closely aligned with authentication, as provided by Identity Providers. They have been designed within various standardization bodies such as the OpenId foundation or the Internet Engineering Task Force. Understanding these standards is demanding, but needed in order to implement feature-rich solutions, to understand the various options offered to implementers.

This talk will therefore discuss in details OIDC and OAuth : the various flows that exist in order to obtain access tokens for standard clients, and some advanced features enabled by these protocols.

Identity Providers (IdP) based on OAuth 2.0/OIDC and other REST APIs like e.g. Keycloak or Entry ID play a dominant role in the identity management of web-based applications. But organizations which are using IdPs for their internal applications still have to use other services, typically LDAP based, to manage access and authentication to LINUX/POSIX user workstations.

To help to avoid running two services for identity management SSSD started to use IdPs to lookup users and authenticate them against the IdPs. In contrast to LDAP there are no standards and conventions with respect to POSIX users and groups in the IdP world.

This talk will focus on how SSSD is getting user and group information from IdPs, how information required by POSIX, e.g. the numeric user and group IDs, is created and what kind of limitations there are. Additionally it will be explained why the OAuth 2.0 Device Authorization Flow was chosen for authentication and demonstrated.

Abstract: Authenticating users can start simple with a username and a password for each user. But you will also need to handle forgotten passwords and user registration. You might also want to validate email addresses, add second factors, have users update their profile information as needed, or even offer password-less authentication.

A single-sign-on system like Keycloak can handle all that for you and will redirect users after they are authenticated to your applications using the industry standards like OpenID Connect and SAML.

Join this talk to see how you can delegate all the tasks around authentication to Keycloak. We will start simple and enable more and more features in our demo to show the functionality and flexibility of Keycloak. We will also look at features of the latest release and the road map ahead.