Keycloak, as a central identity and access management solution, continues to evolve with advancements in OpenID Connect (OIDC) and observability frameworks. These updates address critical security challenges and enhance system visibility, ensuring robust authentication, authorization, and performance monitoring. This article explores Keycloak’s recent security improvements, including RFC 9449 (O2) and OID4 VCI compliance, alongside its observability features such as integrated Grafana dashboards, tracing capabilities, and performance metrics. These updates align with CNCF ecosystem standards, enabling scalable and secure identity management in modern cloud-native environments.
Keycloak now supports RFC 9449 (O2), which introduces Dynamic Proof of Possession (DOP) to mitigate token misuse. Traditional bearer tokens in OIDC allow any holder to access resources, creating risks if tokens are compromised. DOP restricts token usage by establishing a binding between the token issuer and recipient, ensuring only authorized clients can utilize the token. This mechanism significantly reduces the attack surface for token theft and unauthorized access.
Keycloak now aligns with the OID4 VCI (Verifiable Credentials over OAuth 4.0) standard, supporting EU’s EUDI (European Digital Identity) framework. This enables users to request and verify verifiable credentials (VCs) directly from issuers, with Keycloak acting as both an authorization server (token issuer) and credential issuer. Clients first obtain access tokens, which are then used to request VCs, streamlining secure credential exchange in decentralized identity ecosystems.
The O6 community has expanded Keycloak’s security capabilities by integrating new standards such as Workload Identity, Transaction Tokens, and Spiffy. These enhancements support federated identity flows, including FIPA (First-Party Identity Protocol), which allows native applications to input user credentials directly without browser intermediation. Open Federation further simplifies trust establishment between identity providers (IDPs) and relying parties (RPs), optimizing dynamic client registration security.
Keycloak now provides detailed metrics and SLO definitions to measure service performance. For example, 95% of authentication requests must complete within 250 milliseconds. Keycloak tracks HTTP response times, database connection pool usage, and cluster health, categorizing metrics into core functionality, JVM performance, database requests, and cluster status. These metrics enable proactive capacity planning and system optimization.
Keycloak 26.2 includes built-in Grafana dashboards for real-time monitoring. The "Troubleshooting" dashboard visualizes pod availability, JVM usage, database connection pools, and HTTP request distributions. The "Capacity Planning" dashboard dynamically adjusts cluster size based on current load, supporting custom scaling policies. These dashboards integrate with Prometheus, Jaeger, and Loki, providing unified observability across the Keycloak ecosystem.
Keycloak 26.0 introduces tracing capabilities, fully supported in 26.1. All HTTP requests, including identity provider delegation, database, and LDAP calls, are instrumented with spans. Developers can extend tracing via the Tracing Provider SPI (Service Provider Interface), enabling custom span definitions. Keycloak also supports Elastic Common Schema (ECS) for logs, ensuring consistency across logging handlers.
/auth and /realms. Keycloak’s security updates emphasize DOP for token restriction and OID4 VCI for EU digital identity compliance. Observability features include Grafana dashboards, ECS logs, and tracing SPI extensions. Performance monitoring leverages SLOs, heatmaps, and database latency analysis. The O6 community’s contributions enhance security through Workload Identity and Open Federation trust models.
Keycloak’s integration of OpenID Connect with advanced observability tools ensures secure, scalable identity management. By leveraging DOP, OID4 VCI, and integrated metrics, organizations can achieve robust authentication while maintaining system visibility. The combination of tracing, SLO monitoring, and chaos engineering further strengthens reliability. These updates position Keycloak as a critical component in CNCF-aligned cloud-native architectures, balancing security and observability for modern applications.