Keycloak is frequently internet-facing as OIDC/SAML provider and requires security hardening.
Recent version 26.5.3 includes fixes for critical vulnerabilities:
- CVE-2026-1609: Disabled users could still obtain tokens via JWT Authorization Grant
- CVE-2026-1529: Forged invitation JWT enables cross-organization self-registration
- CVE-2026-1486: Logic bypass in JWT Authorization Grant allows authentication via disabled identity providers
- CVE-2025-14778: Incorrect ownership checks in /uma-policy/
Action Required: Upgrade to version 26.5.3 or later immediately.
- Only expose necessary ports (typically 8080/8443)
- Restrict admin console access to trusted networks
- Use WAF (Web Application Firewall) for internet-facing deployments
# Force HTTPS
KC_HTTPS_PORT=8443
KC_HTTPS_CERTIFICATE_FILE=path/to/cert.pem
KC_HTTPS_CERTIFICATE_KEY_FILE=path/to/key.pem
# Or behind reverse proxy
KC_PROXY=reverse
KC_PROXY-ADDRESS-FORWARDED=true
¶ Realm and Client Security
- Enforce MFA and strong password policy per realm
- Implement brute force detection and temporary lockouts
- Use adaptive authentication based on risk factors
- Regularly review and clean inactive accounts
- Restrict redirect URIs to exact trusted values
- Disable implicit flow for confidential clients
- Use PKCE (Proof Key for Code Exchange) for public clients
- Set appropriate access token lifespans
- Disable unused protocols and flows
- Follow principle of least privilege
- Regularly audit role assignments
- Use composite roles for easier management
- Implement fine-grained authorization when needed
- Secure admin console behind VPN or trusted network
- Implement additional authentication layers (VPN, SSH tunnel)
- Limit admin user count and rotate credentials regularly
- Enable admin events logging for audit trails
- Encrypt database connections with TLS
- Use dedicated database user with minimal required privileges
- Regular database backups with encrypted storage
- Implement database audit logging
- Run as non-root user
- Use read-only root filesystem where possible
- Implement resource limits to prevent DoS
- Scan container images for vulnerabilities
¶ Certificate and Key Management
- Rotate signing keys on a regular schedule (e.g., quarterly)
- Use Keycloak’s key rotation mechanisms
- Plan for key rollover in client applications
- Store keys securely with proper access controls
- Use certificates from trusted CAs for production
- Implement certificate renewal automation
- Monitor certificate expiration dates
- Maintain backup certificates
¶ Monitoring and Logging
Enable event logging:
# Configuration for event logging
KC_SPI_EVENTS_LISTENER_JGROUP_MULTICAST_ADDRESS=224.0.75.75
KC_SPI_EVENTS_LISTENER_JGROUP_MULTICAST_PORT=45566
KC_SPI_EVENTS_LISTENER_JGROUP_CLUSTER_NAME=keycloak-cluster
- Monitor authentication attempts and failures
- Track admin configuration changes
- Alert on suspicious activities (geo-location anomalies, unusual access patterns)
- Regular log review and analysis
¶ Backup and Recovery
- Regular backups of realm configurations
- Secure storage of backup encryption keys
- Test restoration procedures regularly
- Include database and configuration files in backups
- Implement data retention policies
- Support for data anonymization/deletion requests
- Encrypt sensitive data at rest
- Audit trail for all access to user data
- Perform periodic penetration testing
- Conduct vulnerability scans
- Review authentication flows for weaknesses
- Test authorization policies
- Document procedures for security incidents
- Plan for rapid patching and rollback
- Establish communication channels for security updates
- Have backup authentication methods ready