Thoughts on Identity & Access Management, Keycloak, and engineering.
Keycloak 26.6.3 fixes 16 CVEs: privilege escalation via token exchange, SSRF on the OIDC endpoint, refresh token reuse after restart, and more. If you run Keycloak in production, update now.
Keycloak is powerful, but running it poorly is expensive. This guide tells you what to look for in a consulting partner, what questions to ask, and which warning signs to avoid.
Keycloak 26.6.2 fixes 16 CVEs at once, including session fixation in the OIDC login flow, redirect URI validation bypass, and stored XSS. If you run it in production, update now.
Single realm, one per region, or one per business unit. Each model is a long-term bet that's hard to reverse. Here's the comparison you need before you choose.
Okta acquired Auth0 in 2021 and raised prices. Many companies are now reconsidering their identity stack. Here's the unbiased comparison you need to make the right call.
We work with Keycloak every day. That doesn't mean it's the right choice for everyone — but it does mean we know exactly when it is.
Keycloak 26.6.0 promotes five capabilities from preview to stable: Workflows, JWT Authorization Grant, Zero-Downtime Patches, Federated Client Auth, and a new Test Framework. Here's what changes for teams running 26.x in production.
Keycloak security advisory: phishing attack via email verification in first login flow. Affects all versions before 26.2.6, 26.1.5 and 26.0.10.
Keycloak 26.2.x with FGAPv2 enabled is affected by a privilege escalation allowing manage-users admins to self-assign realm-admin.
