All NewsSecurity

KeycloakCon Japan 2026: Navigating cloud native identity and the AI frontier

The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026. Taking place on Tuesd

07 / 14 / 2026Source: Security
Test ingest layout blocks
Feature image

News

What happened

The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026. Taking place on Tuesday, July 28 from 09:00 – 12:30, KeycloakCon Japan brings together... The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026 . Taking place on Tuesday, July 28 from 09:00 – 12:30 , KeycloakCon Japan brings together maintainers, enterprise architects, and core contributors for a half-day, single-track intensive event. If you are building modern cloud platform infrastructure, securing software supply chains, or wrestling with autonomous AI agent governance, read why you need to add KeycloakCon to your KubeCon + CloudNativeCon pass. Identity for the AI Era: Solving the “Confused Deputy” and MCP Governance The dominant theme of KeycloakCon Japan 2026 is the explosive shift toward autonomous AI agents and the Model Context Protocol (MCP). When an AI agent acts on behalf of a human user, calls downstream APIs, and crosses trust boundaries, traditional authorization boundaries collapse. KeycloakCon dedicates a major portion of the morning to solving this challenge based on the open identity standards already included in Keycloak. The Architecture Blueprint: Yuxiang Lin (Midships Global) cuts through market hype to make the enterprise case that purpose-built AI identity vendors are an unnecessary dependency. The core primitives—OAuth 2.0 token delegation, token exchange, fine-grained scope enforcement, and audit trails—are already production-ready in Keycloak. Identity Chaining & ID-JAG: Yutaka Obuchi (Hitachi, Ltd.) and Tatsuya Yano (LY Corporation) tackle the technical implementation of Identity Assertion JWT Authorization Grants (ID-JAG). Yutaka demonstrates how to extend Keycloak’s Token Exchange Provider to externalize authorization from fragmented MCP servers. Tatsuya brings massive-scale real-world context f

The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026. Taking place on Tuesday, July 28 from 09:00 – 12:30, KeycloakCon Japan brings together... The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026 . Taking place on Tuesday, July 28 from 09:00 – 12:30 , KeycloakCon Japan brings together maintainers, enterprise architects, and core contributors for a half-day, single-track intensive event. If you are building modern cloud platform infrastructure, securing software supply chains, or wrestling with autonomous AI agent governance, read why you need to add KeycloakCon to your KubeCon + CloudNativeCon pass. Identity for the AI Era: Solving the “Confused Deputy” and MCP Governance The dominant theme of KeycloakCon Japan 2026 is the explosive shift toward autonomous AI agents and the Model Context Protocol (MCP). When an AI agent acts on behalf of a human user, calls downstream APIs, and crosses trust boundaries, traditional authorization boundaries collapse. KeycloakCon dedicates a major portion of the morning to solving this challenge based on the open identity standards already included in Keycloak. The Architecture Blueprint: Yuxiang Lin (Midships Global) cuts through market hype to make the enterprise case that purpose-built AI identity vendors are an unnecessary dependency. The core primitives—OAuth 2.0 token delegation, token exchange, fine-grained scope enforcement, and audit trails—are already production-ready in Keycloak. Identity Chaining & ID-JAG: Yutaka Obuchi (Hitachi, Ltd.) and Tatsuya Yano (LY Corporation) tackle the technical implementation of Identity Assertion JWT Authorization Grants (ID-JAG). Yutaka demonstrates how to extend Keycloak’s Token Exchange Provider to externalize authorization from fragmented MCP servers. Tatsuya brings massive-scale real-world context from the infrastructure powering LINE and Yahoo! JAPAN, showing how to unify Keycloak with CNCF Athenz to prevent the notorious “Confused Deputy” vulnerability. Zero-Trust, Keyless AI Agents on Kubernetes: Mustafa Dayıoğlu (TUBITAK) takes a deep dive into some of the latest Keycloak features. He showcases a keyless MCP workload identity pattern on Kubernetes that leverages SPIRE for runtime identity (JWT-SVIDs) and DPoP to block token replay—resulting in zero static credential files and zero human-created Keycloak clients. The Bigger Picture: Takashi Norimatsu (Hitachi, Ltd.) delivers a keynote highlighting how active open-source contribution is foundational to sustaining safe, enterprise-grade AI within critical social and enterprise infrastructure. Hardening Cloud-Native Infrastructure: From Build Pipelines to Service Meshes Identity extends far beyond the user login screen. Modern cloud-native platform engineering requires verifying identities inside automated pipelines and between ephemeral microservices seamlessly. Binding Human Identity to Code Signatures: Most organizations treat artifact signing (Sigstore) and user management (Keycloak) as isolated silos. Oshi Gupta (Infracloud Technologies) and Sagar Utekar (Crowdstrike) demonstrate how to wire Keycloak directly into Sigstore’s keyless signing flow as the OIDC provider, ensuring every build signature is cryptographically bound back to a verified identity in your trust domain. They will cover exact Fulcio configurations and how to handle token expiry during long automated builds. Platform-Level Service Authorization: Halil Özkan (Keymate) delivers a highly technical lightning talk on using Keycloak Authorization Services as a centralized platform control plane. Using Istio Ambient mode, waypoint proxies, and a WebAssembly (WASM) enforcement extension, he shows how to evaluate service-to-service HTTP requests without modifying application code, complete with live latency and reliability trade-off analysis. Production Operational Survival & Project Evolution Operating identity platforms at scale means managing long-term lifecycles, avoiding breaking changes, and staying ahead of the project roadmap. The Ticking Certificate Timebomb: Organizations that adopted Keycloak in the late 2010s are hitting a major milestone: the hardcoded 10-year expiry of built-in realm signing certificates. Hiroyuki Wada (Nomura Research Institute, Ltd.) breaks down why global realm key rotation is an extreme operational risk for mixed OIDC/SAML enterprise environments. He introduces a vital upstream solution: per-client signing key selection, allowing risk-free, client-by-client migration. What’s New & Next: Keycloak maintainer Alexander Schwartz (IBM) delivers a fast-paced lightning talk and demo exploring the latest cloud-native features landed in Keycloak. Discover how the project is expanding support for machine identities (via SPIFFE/SPIRE and Kubernetes tokens), strong human authentication via Passkeys, and automated user cross-domain synchronization using SCIM. Networking, Community, and Evening Reception KeycloakCon is fundamentally a community-driven space. Outside of the technical tracks, you can connect directly with core maintainers and peer architects during the dedicated coffee breaks. The Celebration: After an intense morning of identity deep-dives and a full day of KubeCon co-located events, unwind at the official Evening Reception sponsored by Octopus Deploy (17:00 – 18:15) for drinks, appetizers, and casual networking. All Week Long: Don’t forget to visit the Keycloak Kiosk at Level 3 during the afternoon project hours to grab stickers, participate in our feature roadmap survey, and sync up with the ecosystem contributors. Registration Details KeycloakCon Japan is an add-on option for KubeCon + CloudNativeCon Japan 2026. This is the perfect opportunity for local and traveling platform engineers already heading to Yokohama to maximize their security tr

Release at a glance

Key facts from the announcement.

Version

2.0

Source

CNCF Blog

REMOTE ACCESS

Protect Your Admin Sessions

A zero-exposure architecture secures your server. A VPN secures you — encrypting your connection when managing infrastructure from untrusted networks, coffee shops, or travel. NordVPN is what we use for this layer.

Try NordVPN

This is an affiliate link. If you purchase, I earn a commission at no extra cost to you.

Changes at a glance

What's new

The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026. Taking place on Tuesday, July 28 from 09:00 – 12:30, KeycloakCon Japan brings together... The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026 . Taking place on Tuesday, July 28 from 09:00 – 12:30 , KeycloakCon Japan brings together maintainers, enterprise architects, and core contributors for a half-day, single-track intensive event. If you are building modern cloud platform infrastructure, securing software supply chains, or wrestling with autonomous AI agent governance, read why you need to add KeycloakCon to your KubeCon + CloudNativeCon pass. Identity for the AI Era: Solving the “Confused Deputy” and MCP Governance The dominant theme of KeycloakCon Japan 2026 is the explosive shift toward autonomous AI agents and the Model Context Protocol (MCP). When an AI agent acts on behalf of a human user, calls downstream APIs, and crosses trust boundaries, traditional authorization boundaries collapse. KeycloakCon dedicates a major portion of the morning to solving this challenge based on the open identity standards already included in Keycloak. The Architecture Blueprint: Yuxiang Lin (Midships Global) cuts through market hype to make the enterprise case that purpose-built AI identity vendors are an unnecessary dependency. The core primitives—OAuth 2.0 token delegation, token exchange, fine-grained scope enforcement, and audit trails—are already production-ready in Keycloak. Identity Chaining & ID-JAG: Yutaka Obuchi (Hitachi, Ltd.) and Tatsuya Yano (LY Corporation) tackle the technical implementation of Identity Assertion JWT Authorization Grants (ID-JAG). Yutaka demonstrates how to extend Keycloak’s Token Exchange Provider to externalize authorization from fragmented MCP servers. Tatsuya brings massive-scale real-world context from the infrastructure powering LINE and Yahoo! JAPAN, showing how to unify Keycloak with CNCF Athenz to prevent the notorious “Confused Deputy” vulnerability. Zero-Trust, Keyless AI Agents on Kubernetes: Mustafa Dayıoğlu (TUBITAK) takes a deep dive into some of the latest Keycloak features. He showcases a keyless MCP workload identity pattern on Kubernetes that leverages SPIRE for runtime identity (JWT-SVIDs) and DPoP to block token replay—resulting in zero static credential files and zero human-created Keycloak clients. The Bigger Picture: Takashi Norimatsu (Hitachi, Ltd.) delivers a keynote highlighting how active open-source contribution is foundational to sustaining safe, enterprise-grade AI within critical social and enterprise infrastructure. Hardening Cloud-Native Infrastructure: From Build Pipelines to Service Meshes Identity extends far beyond the user login screen. Modern cloud-native platform engineering requires verifying identities inside automated pipelines and between ephemeral microservices seamlessly. Binding Human Identity to Code Signatures: Most organizations treat artifact signing (Sigstore) and user management (Keycloak) as isolated silos. Oshi Gupta (Infracloud Technologies) and Sagar Utekar (Crowdstrike) demonstrate how to wire Keycloak directly into Sigstore’s keyless signing flow as the OIDC provider, ensuring every build signature is cryptographically bound back to a verified identity in your trust domain. They will cover exact Fulcio configurations and how to handle token expiry during long automated builds. Platform-Level Service Authorization: Halil Özkan (Keymate) delivers a highly technical lightning talk on using Keycloak Authorization Services as a centralized platform control plane. Using Istio Ambient mode, waypoint proxies, and a WebAssembly (WASM) enforcement extension, he shows how to evaluate service-to-service HTTP requests without modifying application code, complete with live latency and reliability trade-off analysis. Production Operational Survival & Project Evolution Operating identity platforms at scale means managing long-term lifecycles, avoiding breaking changes, and staying ahead of the project roadmap. The Ticking Certificate Timebomb: Organizations that adopted Keycloak in the late 2010s are hitting a major milestone: the hardcoded 10-year expiry of built-in realm signing certificates. Hiroyuki Wada (Nomura Research Institute, Ltd.) breaks down why global realm key rotation is an extreme operational risk for mixed OIDC/SAML enterprise environments. He introduces a vital upstream solution: per-client signing key selection, allowing risk-free, client-by-client migration. What’s New & Next: Keycloak maintainer Alexander Schwartz (IBM) delivers a fast-paced lightning talk and demo exploring the latest cloud-native features landed in Keycloak. Discover how the project is expanding support for machine identities (via SPIFFE/SPIRE and Kubernetes tokens), strong human authentication via Passkeys, and automated user cross-domain synchronization using SCIM. Networking, Community, and Evening Reception KeycloakCon is fundamentally a community-driven space. Outside of the technical tracks, you can connect directly with core maintainers and peer architects during the dedicated coffee breaks. The Celebration: After an intense morning of identity deep-dives and a full day of KubeCon co-located events, unwind at the official Evening Reception sponsored by Octopus Deploy (17:00 – 18:15) for drinks, appetizers, and casual networking. All Week Long: Don’t forget to visit the Keycloak Kiosk at Level 3 during the afternoon project hours to grab stickers, participate in our feature roadmap survey, and sync up with the ecosystem contributors. Registration Details KeycloakCon Japan is an add-on option for KubeCon + CloudNativeCon Japan 2026. This is the perfect opportunity for local and traveling platform engineers already heading to Yokohama to maximize their security tr

Breaking changes

No breaking changes were reported in the source material.

Analysis

In detail

The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026. Taking place on Tuesday, July 28 from 09:00 – 12:30, KeycloakCon Japan brings together... The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026 . Taking place on Tuesday, July 28 from 09:00 – 12:30 , KeycloakCon Japan brings together maintainers, enterprise architects, and core contributors for a half-day, single-track intensive event. If you are building modern cloud platform infrastructure, securing software supply chains, or wrestling with autonomous AI agent governance, read why you need to add KeycloakCon to your KubeCon + CloudNativeCon pass. Identity for the AI Era: Solving the “Confused Deputy” and MCP Governance The dominant theme of KeycloakCon Japan 2026 is the explosive shift toward autonomous AI agents and the Model Context Protocol (MCP). When an AI agent acts on behalf of a human user, calls downstream APIs, and crosses trust boundaries, traditional authorization boundaries collapse. KeycloakCon dedicates a major portion of the morning to solving this challenge based on the open identity standards already included in Keycloak. The Architecture Blueprint: Yuxiang Lin (Midships Global) cuts through market hype to make the enterprise case that purpose-built AI identity vendors are an unnecessary dependency. The core primitives—OAuth 2.0 token delegation, token exchange, fine-grained scope enforcement, and audit trails—are already production-ready in Keycloak. Identity Chaining & ID-JAG: Yutaka Obuchi (Hitachi, Ltd.) and Tatsuya Yano (LY Corporation) tackle the technical implementation of Identity Assertion JWT Authorization Grants (ID-JAG). Yutaka demonstrates how to extend Keycloak’s Token Exchange Provider to externalize authorization from fragmented MCP servers. Tatsuya brings massive-scale real-world context from the infrastructure powering LINE and Yahoo! JAPAN, showing how to unify Keycloak with CNCF Athenz to prevent the notorious “Confused Deputy” vulnerability. Zero-Trust, Keyless AI Agents on Kubernetes: Mustafa Dayıoğlu (TUBITAK) takes a deep dive into some of the latest Keycloak features. He showcases a keyless MCP workload identity pattern on Kubernetes that leverages SPIRE for runtime identity (JWT-SVIDs) and DPoP to block token replay—resulting in zero static credential files and zero human-created Keycloak clients. The Bigger Picture: Takashi Norimatsu (Hitachi, Ltd.) delivers a keynote highlighting how active open-source contribution is foundational to sustaining safe, enterprise-grade AI within critical social and enterprise infrastructure. Hardening Cloud-Native Infrastructure: From Build Pipelines to Service Meshes Identity extends far beyond the user login screen. Modern cloud-native platform engineering requires verifying identities inside automated pipelines and between ephemeral microservices seamlessly. Binding Human Identity to Code Signatures: Most organizations treat artifact signing (Sigstore) and user management (Keycloak) as isolated silos. Oshi Gupta (Infracloud Technologies) and Sagar Utekar (Crowdstrike) demonstrate how to wire Keycloak directly into Sigstore’s keyless signing flow as the OIDC provider, ensuring every build signature is cryptographically bound back to a verified identity in your trust domain. They will cover exact Fulcio configurations and how to handle token expiry during long automated builds. Platform-Level Service Authorization: Halil Özkan (Keymate) delivers a highly technical lightning talk on using Keycloak Authorization Services as a centralized platform control plane. Using Istio Ambient mode, waypoint proxies, and a WebAssembly (WASM) enforcement extension, he shows how to evaluate service-to-service HTTP requests without modifying application code, complete with live latency and reliability trade-off analysis. Production Operational Survival & Project Evolution Operating identity platforms at scale means managing long-term lifecycles, avoiding breaking changes, and staying ahead of the project roadmap. The Ticking Certificate Timebomb: Organizations that adopted Keycloak in the late 2010s are hitting a major milestone: the hardcoded 10-year expiry of built-in realm signing certificates. Hiroyuki Wada (Nomura Research Institute, Ltd.) breaks down why global realm key rotation is an extreme operational risk for mixed OIDC/SAML enterprise environments. He introduces a vital upstream solution: per-client signing key selection, allowing risk-free, client-by-client migration. What’s New & Next: Keycloak maintainer Alexander Schwartz (IBM) delivers a fast-paced lightning talk and demo exploring the latest cloud-native features landed in Keycloak. Discover how the project is expanding support for machine identities (via SPIFFE/SPIRE and Kubernetes tokens), strong human authentication via Passkeys, and automated user cross-domain synchronization using SCIM. Networking, Community, and Evening Reception KeycloakCon is fundamentally a community-driven space. Outside of the technical tracks, you can connect directly with core maintainers and peer architects during the dedicated coffee breaks. The Celebration: After an intense morning of identity deep-dives and a full day of KubeCon co-located events, unwind at the official Evening Reception sponsored by Octopus Deploy (17:00 – 18:15) for drinks, appetizers, and casual networking. All Week Long: Don’t forget to visit the Keycloak Kiosk at Level 3 during the afternoon project hours to grab stickers, participate in our feature roadmap survey, and sync up with the ecosystem contributors. Registration Details KeycloakCon Japan is an add-on option for KubeCon + CloudNativeCon Japan 2026. This is the perfect opportunity for local and traveling platform engineers already heading to Yokohama to maximize their security tr

Key takeaways

The most important facts from this update.

The countdown is officially on

Why it matters

If you run self-hosted infrastructure, homelab services, or automation stacks, this update is worth tracking before you change production.

Homelab impact

If you run related services in your homelab, review whether this update affects your current deployment. Check compatibility with your Docker Compose files, reverse proxy config, or network setup before you upgrade production stacks.

What to do next

Practical steps for operators running self-hosted stacks.

Read the full release notes or changelog on the source site
Check whether your current version is affected
Test the update in a staging environment before you change production

This brief covers what you need from CNCF Blog's reporting. Visit the original post for release notes, changelogs, and full technical documentation.

Self HostingSecurityInfrastructureArchitecture