Keycloak Docs
Overview Operator Guides Server Guides Server Administration

Keycloak Server Administration

    • Keycloak features and concepts
      • Features
      • Basic Keycloak operations
      • Core concepts and terms
    • Creating the first administrator
    • Configuring realms
    • Using external storage
      • Lightweight Directory Access Protocol (LDAP) and Active Directory
      • SSSD and FreeIPA Identity Management integration
      • Custom providers
    • Managing users
    • Managing user sessions
      • Administering sessions
      • Revoking active sessions
      • Session and token timeouts
      • Offline access
      • Offline sessions preloading
      • Transient sessions
    • Assigning permissions using roles and groups
    • Configuring authentication
      • Password policies
      • One Time Password (OTP) policies
      • Authentication flows
      • Kerberos
      • X.509 client certificate user authentication
      • W3C Web Authentication (WebAuthn)
      • Recovery Codes (RecoveryCodes)
      • Conditions in conditional flows
    • Integrating identity providers
      • Brokering overview
      • Default Identity Provider
      • General configuration
      • Social Identity Providers
        • Bitbucket
        • Facebook
        • GitHub
        • GitLab
        • Google
        • LinkedIn
        • Microsoft
        • OpenShift 3
        • OpenShift 4
        • PayPal
        • Stack overflow
        • Twitter
        • Instagram
      • OpenID Connect v1.0 identity providers
      • SAML v2.0 Identity Providers
      • Client-suggested Identity Provider
      • Mapping claims and assertions
      • Available user session data
      • First login flow
      • Retrieving external IDP tokens
      • Identity broker logout
    • SSO protocols
    • Controlling access to the Admin Console
      • Master realm access control
      • Dedicated realm admin consoles
      • Fine grain admin permissions
    • Managing OpenID Connect and SAML Clients
    • Using a vault to obtain secrets
    • Configuring auditing to track events
    • Mitigating security threats
      • Host
      • Admin endpoints and Admin Console
      • Brute force attacks
      • Read-only user attributes
      • Clickjacking
      • SSL/HTTPS requirement
      • CSRF attacks
      • Unspecific redirect URIs
      • FAPI compliance
      • Compromised access and refresh tokens
      • Compromised authorization code
      • Open redirectors
      • Password database compromised
      • Limiting scope
      • Limit token audience
      • Limit Authentication Sessions
      • SQL injection attacks
    • Account Console
    • Admin CLI
Keycloak Server Administration 20.0
  • Guides Keycloak Operator
    • 20.0
  • Guides Keycloak Server
    • 20.0
  • Keycloak Documentation
  • Keycloak Server Administration
    • 20.0
  • Keycloak Server Administration
  • Mitigating security threats
  • FAPI compliance
Edit this Page

FAPI compliance

To make sure that Keycloak server will validate your client to be more secure and FAPI compliant, you can configure client policies for the FAPI support. Details are described in the FAPI section of Securing Applications and Services Guide. Among other things, this ensures some security best practices described above like SSL required for clients, secure redirect URI used and more of similar best practices.

Unspecific redirect URIs Compromised access and refresh tokens

This page was built using Antora - © 2013-2022 The individual contributors. Released under the Apache License, Version 2.0 - GitHub

×