Specifications implemented

List of specifications and standards implemented by Keycloak.

This guide presents a list of specifications and standards that Keycloak currently implements. The standards are separated in different sections and, in each one, a table is shown with the following four columns:

  • Specification: The standard or specification that Keycloak implements.

  • Status: The current status of the implementation inside Keycloak (supported, preview, experimental,…​). See Enabling and disabling features for more information.

  • Conformity: Assurance of conformity of the implementation.

    • Certified (version): The specification provides conformance tests that Keycloak executes periodically and for each new version. The version in brackets is the last version of Keycloak certified by the authority.

    • Passed: There are conformance tests provided by the authority that Keycloak passes, but no version is certified yet.

    • Partial: There are conformance tests but Keycloak is not yet fully passing them.

    • If this column is empty means that Keycloak does not pass any external conformance tests for the spec. Only common project integration tests are executed. Maybe the authority does not provide a conformance tests suite or Keycloak is not interested in passing them.

  • Comments: A generic column that can contain details of the implementation or the status. For example parts that are not covered yet or specific behaviors out of the spec.

OpenID Connect

Specification Status Conformity Comments

OpenID Connect Core

Supported

Certified (18.0.0)

OpenID Connect Discovery

Supported

Certified (18.0.0)

OpenID Connect Dynamic Client Registration

Supported

Certified (18.0.0)

OpenID Connect Session Management

Supported

Certified (18.0.0)

OpenID Connect RP-Initiated Logout

Supported

Certified (18.0.0)

OpenID Connect Back-Channel Logout

Supported

Certified (18.0.0)

OpenID Connect Front-Channel Logout

Supported

Certified (18.0.0)

OpenID Connect Client-Initiated Backchannel Authentication Flow

Supported

Certified (18.0.0)

OAuth 2.0 Multiple Response Type Encoding Practices

Supported

Certified (18.0.0)

OAuth 2.0 Form Post Response Mode

Supported

Certified (18.0.0)

Initiating User Registration via OpenID Connect 1.0

Supported

OpenID for Verifiable Credential Issuance (OID4VCI)

Experimental

OAuth

Specification Status Conformity Comments

The OAuth 2.0 Authorization Framework (RFC 6749)

Supported

The OAuth 2.1 Authorization Framework (Draft)

Supported

The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)

Supported

OAuth 2.0 Token Introspection (RFC 7662)

Supported

OAuth 2.0 Token Revocation (RFC 7009)

Supported

Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)

Supported

OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)

Supported

OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592)

Supported

OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)

Supported

OAuth 2.0 Pushed Authorization Requests (RFC 9126)

Supported

Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521)

Supported

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)

Supported

OAuth 2.0 Authorization Server Metadata (RFC 8414)

Supported

OAuth 2.0 Device Authorization Grant (RFC 8628)

Supported

OAuth 2.0 Token Exchange (RFC 8693)

Supported (see comments)

Token exchange V2 only supports the internal to internal use-case, so the specification is only partially supported now. See Configuring and using token exchange for more information.

The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) (RFC 9101)

Supported

OAuth 2.0 Authorization Server Issuer Identification (RFC 9207)

Supported

OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC 9449)

Preview

Financial-grade API (FAPI)

Specification Status Conformity Comments

Financial-grade API Security Profile 1.0 - Part 1: Baseline

Supported

Certified (15.0.2)

Financial-grade API Security Profile 1.0 - Part 2: Advanced

Supported

Certified (15.0.2)

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)

Supported

Certified (15.0.2)

Financial-grade API: Client Initiated Backchannel Authentication Profile (Draft)

Supported

Certified (15.0.2)

FAPI 2.0 Security Profile

Supported

Passed

FAPI 2.0 Message Signing (Draft)

Supported

Passed

Security Assertion Markup Language (SAML)

Specification Status Conformity Comments

Security Assertion Markup Language (SAML) v2.0

Supported

This standard covers multiple bindings and contexts. Keycloak implements a full range of them but there are missing parts for sure.

User Managed Access (UMA)

Specification Status Conformity Comments

User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization

Supported

Federated Authorization for User-Managed Access (UMA) 2.0

Supported

JSON Web

Specification Status Conformity Comments

JSON Web Signature (JWS) (RFC 7515)

Supported

JSON Web Encryption (JWE) (RFC 7516)

Supported

JSON Web Key (JWK) (RFC 7517)

Supported

JSON Web Algorithms (JWA) (RFC 7518)

Supported

JSON Web Token (RFC 7519)

Supported

CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE) (RFC 8037)

Supported

Misc

Specification Status Conformity Comments

Security Requirements for Cryptographic Modules (FIPS 140-2)

Supported

Certified

Keycloak uses Bouncy Castle (BC) FIPS libraries to provide FIPS 140-2. BC is indeed a certified FIPS 140-3 implementation, but also needs a certified stack (Operative system and Java VM). See FIPS 140-2 support for more information.

Web Authentication: An API for accessing Public Key Credentials Level 2

Supported

This specification has conformance tests but Keycloak is not using them. Keycloak acts as a WebAuthn’s Relying Party (RP) for this specification.
On this page
Edit this guide