Keycloak Explained EP07 | Realms, OIDC Clients, Redirect URIs & PKCE
Welcome to Secure AI Learning Lab. In this episode, we continue the Identity and Access Management foundation series and start going deeper into Keycloak, one of the most useful open-source IAM platforms for learning, prototyping, and building secure enterprise applications. Keycloak supports major industry identity protocols such as OAuth2, OpenID Connect, and SAML 2.0. In this video, I explain some of the most important Keycloak concepts that architects and developers must understand before building secure applications. This episode covers: What Keycloak is and why it is useful for IAM How Keycloak compares conceptually with platforms such as Microsoft Entra ID, Okta, and Ping Identity OAuth2, OpenID Connect, and SAML 2.0 support What a Keycloak realm is Why a realm acts as a security and identity boundary How one Keycloak server can support multiple isolated applications or departments What an OIDC client is Why software applications need identity in IAM systems Public clients vs. confidential clients Why browser apps and mobile apps are normally public clients Why backend services and REST APIs can use confidential clients What a client ID and client secret mean What a valid redirect URI is Why Keycloak needs to know where to send the user after login What post-logout redirect URIs are How PKCE improves OAuth2/OIDC security What the code verifier and code challenge are Why SHA-256 / S256 should be used instead of plain PKCE Why architects and developers should understand these IAM fundamentals A key takeaway from this episode is that secure enterprise AI applications are not only about LLMs, RAG, embeddings, vector databases, and agents. They also need strong identity and access management foundations. Before an AI system can safely answer questions, upload documents, call APIs, or perform actions, it must know who the user is, what application is requesting access, and what the user or client is allowed to do. This video is useful for architects, developers, cybersecurity learners, AI engineers, and technology leaders who want to understand how Keycloak, OAuth2, OpenID Connect, and PKCE fit into secure application architecture. Previous Episode: • RAG Explainer EP06 | IAM, OAuth2, OIDC, To... Next Episode: [tbd] Full Playlist: [tbd] Subscribe to Secure AI Learning Lab for practical Enterprise AI, Secure AI, Agentic AI, RAG, Python, Flask, LangChain, Keycloak, OAuth2/OIDC, SAML 2.0, and secure-by-design architecture walkthroughs. Chapters: 00:00 Introduction 00:07 Continuing from the previous IAM video 00:14 What Keycloak is 00:32 Keycloak support for OAuth2, OIDC, and SAML 2.0 00:56 What is a Keycloak realm? 01:14 One Keycloak server for multiple applications 01:32 Realm as a security and identity boundary 02:19 What is an OIDC client? 02:43 Public clients for browser and mobile apps 02:58 Confidential clients for backend services 03:17 Why applications need identity 03:51 Keycloak client configuration example 03:58 Valid redirect URI explained 04:31 Post-logout redirect URI explained 04:49 PKCE explained 05:18 Why browser and mobile clients should not keep secrets 06:07 How PKCE uses code verifier and code challenge 06:30 SHA-256 code challenge flow 07:10 Configuring PKCE S256 in Keycloak 07:40 Why architects must understand IAM 08:02 Closing and subscribe reminder #Keycloak #OAuth2 #OIDC #PKCE #IAM #SecureAI

Keycloak Explained EP08 | Realm Roles, Client Roles, Scopes & Token Claims

7 Authentication Concepts Every Developer Should Know

Android 17 sucks. So I put Linux on a phone.

Cerebras Just Killed Second Brains

RAG Explainer EP09 | Flask Architecture, SSE & requirements.txt Explained
![You’ll stop using ChatGPT after listening to this | Jonathan Pageau [ARC 2026]](https://i.ytimg.com/vi/yZUuKzDQSsI/hqdefault.jpg?sqp=-oaymwEjCNACELwBSFryq4qpAxUIARUAAAAAGAElAADIQj0AgKJDeAE=&rs=AOn4CLAXTozuIcoGA_3ys1pkvHYXgL8C4Q)
You’ll stop using ChatGPT after listening to this | Jonathan Pageau [ARC 2026]

RAG Explainer EP06 | IAM, OAuth2, OIDC, Tokens & Keycloak Explained

MCP vs API Explained: Do You Really Need MCP?

How to Design APIs Like a Senior Engineer (REST, GraphQL, Auth, Security)

MCP vs API: Why traditional APIs are failing AI agents

No Boss, No Money: The Raw Reality of China’s Gen-Z Freelancers

The Linux Kernel is Falling Apart.

AI Agents Full Course 2026: Master Agentic AI (2 Hours)

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

China Is About To Pop The AI Bubble

He Risked Everything To Warn You: No One Is Ready For What's Coming, And The AI Companies Know It!

How Senior Engineers Actually Build AI Agents in 2026 | Full Stack Browser Automation SaaS

China quietly saved the world last month

