Keycloak Explained EP07 | Realms, OIDC Clients, Redirect URIs & PKCE

Welcome to Secure AI Learning Lab. In this episode, we continue the Identity and Access Management foundation series and start going deeper into Keycloak, one of the most useful open-source IAM platforms for learning, prototyping, and building secure enterprise applications. Keycloak supports major industry identity protocols such as OAuth2, OpenID Connect, and SAML 2.0. In this video, I explain some of the most important Keycloak concepts that architects and developers must understand before building secure applications. This episode covers: What Keycloak is and why it is useful for IAM How Keycloak compares conceptually with platforms such as Microsoft Entra ID, Okta, and Ping Identity OAuth2, OpenID Connect, and SAML 2.0 support What a Keycloak realm is Why a realm acts as a security and identity boundary How one Keycloak server can support multiple isolated applications or departments What an OIDC client is Why software applications need identity in IAM systems Public clients vs. confidential clients Why browser apps and mobile apps are normally public clients Why backend services and REST APIs can use confidential clients What a client ID and client secret mean What a valid redirect URI is Why Keycloak needs to know where to send the user after login What post-logout redirect URIs are How PKCE improves OAuth2/OIDC security What the code verifier and code challenge are Why SHA-256 / S256 should be used instead of plain PKCE Why architects and developers should understand these IAM fundamentals A key takeaway from this episode is that secure enterprise AI applications are not only about LLMs, RAG, embeddings, vector databases, and agents. They also need strong identity and access management foundations. Before an AI system can safely answer questions, upload documents, call APIs, or perform actions, it must know who the user is, what application is requesting access, and what the user or client is allowed to do. This video is useful for architects, developers, cybersecurity learners, AI engineers, and technology leaders who want to understand how Keycloak, OAuth2, OpenID Connect, and PKCE fit into secure application architecture. Previous Episode:    • RAG Explainer EP06 | IAM, OAuth2, OIDC, To...   Next Episode: [tbd] Full Playlist: [tbd] Subscribe to Secure AI Learning Lab for practical Enterprise AI, Secure AI, Agentic AI, RAG, Python, Flask, LangChain, Keycloak, OAuth2/OIDC, SAML 2.0, and secure-by-design architecture walkthroughs. Chapters: 00:00 Introduction 00:07 Continuing from the previous IAM video 00:14 What Keycloak is 00:32 Keycloak support for OAuth2, OIDC, and SAML 2.0 00:56 What is a Keycloak realm? 01:14 One Keycloak server for multiple applications 01:32 Realm as a security and identity boundary 02:19 What is an OIDC client? 02:43 Public clients for browser and mobile apps 02:58 Confidential clients for backend services 03:17 Why applications need identity 03:51 Keycloak client configuration example 03:58 Valid redirect URI explained 04:31 Post-logout redirect URI explained 04:49 PKCE explained 05:18 Why browser and mobile clients should not keep secrets 06:07 How PKCE uses code verifier and code challenge 06:30 SHA-256 code challenge flow 07:10 Configuring PKCE S256 in Keycloak 07:40 Why architects must understand IAM 08:02 Closing and subscribe reminder #Keycloak #OAuth2 #OIDC #PKCE #IAM #SecureAI