Blog

Insights on Identity, Security & Keycloak

Tutorials, deep dives, and best practices from the Skycloak team.

Definition and Basics

Token Introspection vs Local JWT Validation in Keycloak

Keycloak token introspection vs local JWT validation: how each works, the latency and revocation trade-offs, and which to use for…

Guilliano Molaire Guilliano Molaire 10 min read
Definition and Basics

Keycloak Offline Tokens Explained

What Keycloak offline tokens are, how the offline_access scope works, how they differ from regular refresh tokens, and when to…

Guilliano Molaire Guilliano Molaire 11 min read
Tutorials

How to Run the Keycloak Admin Console on a Separate Hostname Behind nginx (KC_HOSTNAME_ADMIN)

KC_HOSTNAME_ADMIN does work behind nginx. Serve the Keycloak admin console on a separate hostname with the proxy headers and server…

Guilliano Molaire Guilliano Molaire 10 min read
Tutorials

Token and Claims Modeling in Keycloak: Reproducing Legacy IdP Behavior

Reproduce legacy IdP tokens in Keycloak so apps survive cutover. Build a claim contract, map UAA/SiteMinder/Okta claims, and diff old…

George Thomas George Thomas 16 min read
Tutorials

Dual-Run IAM Migration: Switching Identity Providers Without Downtime

An IAM migration strategy for large estates: run old and new IdPs at once, cut apps over in waves, and…

George Thomas George Thomas 14 min read
Tutorials

Keycloak and SiteMinder Federation: SAML and OIDC Integration Guide

Keycloak SiteMinder integration without a rip-and-replace: run both side by side, federate over SAML or OIDC, and migrate apps at…

George Thomas George Thomas 15 min read
security

Keycloak Refresh Token Rotation: Setup and Best Practices

How to configure refresh token rotation in Keycloak: revoke-on-use, reuse detection, token lifetimes, SPA vs confidential clients, and security best…

Guilliano Molaire Guilliano Molaire 11 min read
Definition and Basics

Keycloak Client Scopes vs Roles: When to Use Each

Keycloak client scopes vs roles explained: what each does, how they shape token claims and scopes, and when to use…

Guilliano Molaire Guilliano Molaire 9 min read
security

Keycloak UMA 2.0: User-Managed Resource Sharing

A practical guide to User-Managed Access (UMA 2.0) in Keycloak: the permission ticket flow, RPT tokens, resource sharing, and when…

Guilliano Molaire Guilliano Molaire 11 min read
SCIM EntraID to Keycloak
Articles

SCIM Provisioning from Microsoft Entra ID to Keycloak 26.6+

Learn how to configure SCIM provisioning from Microsoft Entra ID to Keycloak 26.6+, including user sync, deprovisioning, and custom attributes

George Thomas George Thomas 4 min read

Stay ahead on identity & security

Get tutorials, product updates, and Keycloak tips delivered to your inbox.

© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman