Keycloak boots with a wide-open door unless you close it

Keycloak controls identity and access across apps and services. Without strict defaults, it may expose unnecessary user data or metadata. That means every realm, client, and user attribute needs to be configured with minimal disclosure from the start. The principle is simple: do not collect, store, or return what is not essential.

To achieve privacy by default in Keycloak, start with realm settings. Disable user registration unless required. Turn off unnecessary event listeners. Limit default roles so new accounts have only the access they truly need. For clients, lock down scopes to only those vital for the application. Remove public clients when possible, or enforce confidential flows with client secrets.

For user data, strip every attribute not core to authentication. Avoid storing phone numbers, addresses, or external IDs unless directly tied to a business function. Use the fine-grained protocol mappers to control exactly which claims get sent in tokens, and ensure they cannot leak sensitive fields. Audit every brokered identity mapping to prevent unintentional data pass-through.

Enable HTTPS and secure-cookie settings on all endpoints. Configure session lifetimes short enough to reduce risk but long enough for usability. Review the admin event and audit logs regularly. If federating identities, set trust to explicit rather than implied, and verify every upstream privacy setting.

Keycloak’s default state is functional, not private. Privacy by default is an intentional build: close every unused endpoint, silence every unnecessary claim, and enforce every security policy at creation time. Once this baseline is set, expansion is safe because every new object inherits locked-down privacy from the start.

Want to see privacy-by-default identity management without a week of setup? Spin up a realm with hoop.dev and watch it live in minutes.