Features
Comprehensive Keycloak security with protocol-aware validation for OIDC, SAML, and Admin API.
OIDC / OAuth2 Protection
Full OAuth2 and OpenID Connect protocol enforcement based on RFC 6749, RFC 7636, and OpenID Connect Core.
Grant Type Enforcement
REQ-OIDC-001Block insecure grant types (ROPC, implicit) by default. Per-client allowlists for permitted grant types.
Scope Validation
REQ-OIDC-002Validate requested scopes against per-client whitelists. Prevent scope escalation attacks.
Redirect URI Validation
REQ-OIDC-003Exact match or wildcard validation against per-client whitelist. Blocks HTTP, localhost, and private IPs.
PKCE Enforcement
REQ-OIDC-006REQ-OIDC-007Require PKCE for public clients. Enforce S256 method — block plain method (RFC 7636).
State & Nonce
REQ-OIDC-004REQ-OIDC-005Require state parameter (CSRF protection) and nonce parameter (replay protection) on authorization requests.
Response Type Validation
REQ-OIDC-008Block implicit flow response types. Prevent token exposure in browser history.
SAML Security
Prevent the most dangerous SAML attacks before they reach Keycloak.
XXE Prevention
REQ-SAML-001Block DOCTYPE declarations in SAML assertions. Prevent XML External Entity attacks that could read server files or trigger SSRF.
Signature Wrapping Detection
REQ-SAML-002Detect SAML signature wrapping attacks that could bypass authentication by manipulating XML structure.
Algorithm Enforcement
REQ-SAML-003Enforce strong signature algorithms. Block SHA-1 which is cryptographically broken.
Assertion Size Limits
REQ-SAML-004Enforce maximum SAML assertion size to prevent denial-of-service through oversized payloads.
Admin API Protection
Lock down the Keycloak Admin REST API to prevent privilege escalation and data exfiltration.
Endpoint Whitelist
REQ-ADMIN-001Only explicitly allowed admin endpoints are accessible. All other admin paths are rejected.
Master Realm Protection
REQ-ADMIN-002Block access to master realm admin operations. Prevents system-level compromise.
Export Prevention
REQ-ADMIN-003Block realm export operations that could exfiltrate credentials and configuration.
Bulk Operation Detection
REQ-ADMIN-005Detect and limit mass user create/delete operations. Configurable threshold.
Read-Only Mode
REQ-ADMIN-007Optional read-only mode for admin API — block all write operations.
IdP Change Blocking
REQ-ADMIN-004Optionally block identity provider configuration changes to prevent federation tampering.
Token Response Validation
Validate every token response from Keycloak before it reaches clients.
Algorithm Enforcement
REQ-TOKEN-001Block 'none' algorithm and standalone HS256. Only allow configured strong algorithms (RS256, ES256, etc.).
Lifetime Validation
REQ-TOKEN-002Enforce maximum token lifetime (default 24 hours). Detect overly long-lived tokens.
Claim Leakage Detection
REQ-TOKEN-003Detect sensitive claims in token payload. Configurable blocked claims list.
Token Size Limits
REQ-TOKEN-004Enforce maximum token size to detect role/claim enrichment abuse.
JWT Structure
REQ-TOKEN-005Validate header.payload.signature format. Block malformed tokens.
Security Headers
REQ-HDR-001..004Enforce HSTS, CSP, X-Content-Type-Options, and X-Frame-Options on all responses.
Operating Modes
Gradual rollout from observation to full enforcement.
Learning Mode
REQ-MODE-001Allow all traffic, log all violations. Default mode when no policy file is specified. Ideal for initial deployment to understand traffic patterns.
Monitoring Mode
REQ-MODE-002Allow all traffic, alert on violations. Use for pre-enforcement validation to ensure no legitimate traffic would be blocked.
Enforcement Mode
REQ-MODE-003Block all violating traffic. Fail-closed: any request that doesn't pass all 16 validation steps is rejected with an OAuth2-compatible JSON error.
Hybrid Mode
REQ-MODE-004Per-rule actions (allow/alert/block). Enable enforcement for critical rules while monitoring others. Maximum flexibility for gradual rollout.