Thoughts on Identity & Access Management, Keycloak, and engineering.
Keycloak 26.6.2 fixes 16 CVEs at once, including session fixation in the OIDC login flow, redirect URI validation bypass, and stored XSS. If you run it in production, update now.
Single realm, one per region, or one per business unit. Each model is a long-term bet that's hard to reverse. Here's the comparison you need before you choose.
Okta acquired Auth0 in 2021 and raised prices. Many companies are now reconsidering their identity stack. Here's the unbiased comparison you need to make the right call.
We work with Keycloak every day. That doesn't mean it's the right choice for everyone — but it does mean we know exactly when it is.
Keycloak 26.6.0 is a feature release. Five capabilities — JWT Authorization Grant, Federated Client Auth, Workflows, Zero-Downtime Patches, and a new Test Framework — graduate from preview to fully supported.
Keycloak security advisory: phishing attack via email verification in first login flow. Affects all versions before 26.2.6, 26.1.5 and 26.0.10.
Keycloak 26.2.x with FGAPv2 enabled is affected by a privilege escalation allowing manage-users admins to self-assign realm-admin.
