Tutorials, deep dives, and best practices from the Skycloak team.
Keycloak token introspection vs local JWT validation: how each works, the latency and revocation trade-offs, and which to use for…
What Keycloak offline tokens are, how the offline_access scope works, how they differ from regular refresh tokens, and when to…
KC_HOSTNAME_ADMIN does work behind nginx. Serve the Keycloak admin console on a separate hostname with the proxy headers and server…
Reproduce legacy IdP tokens in Keycloak so apps survive cutover. Build a claim contract, map UAA/SiteMinder/Okta claims, and diff old…
An IAM migration strategy for large estates: run old and new IdPs at once, cut apps over in waves, and…
Keycloak SiteMinder integration without a rip-and-replace: run both side by side, federate over SAML or OIDC, and migrate apps at…
How to configure refresh token rotation in Keycloak: revoke-on-use, reuse detection, token lifetimes, SPA vs confidential clients, and security best…
Keycloak client scopes vs roles explained: what each does, how they shape token claims and scopes, and when to use…
A practical guide to User-Managed Access (UMA 2.0) in Keycloak: the permission ticket flow, RPT tokens, resource sharing, and when…
Learn how to configure SCIM provisioning from Microsoft Entra ID to Keycloak 26.6+, including user sync, deprovisioning, and custom attributes
Get tutorials, product updates, and Keycloak tips delivered to your inbox.