Web Application Security with Your Keycloak Deployment
As more companies adopt Keycloak for enterprise identity and access management, security is no longer just a back-end concern. One of the most frequent questions we hear at Phase Two is:
"Should I put a Web Application Firewall (WAF) in front of Keycloak?"
The short answer? It depends—but it's a smart question to ask.
In this post, we'll break down what Keycloak provides out of the box, explore common attack vectors (especially around authentication endpoints), and help you evaluate whether you need to add an external firewall or WAF to your deployment.
What Security Does Keycloak Provide?
Keycloak includes several built-in protections, especially around login abuse detection:
- Brute Force Detection: Limit login attempts per user/IP combination
- Event Logging: Track login attempts, errors, and success/failure trends
- Account Lockout: Lock users after repeated failures
- Rate Limiting (indirect via proxies): Supports integration with reverse proxies/load balancers
- Session Expiry Controls: Limits token lifespan and session reuse
These help protect against basic abuse patterns like credential stuffing and dictionary attacks—but they aren’t designed to stop network-level threats like DDoS or complex bot traffic.
Which Keycloak Endpoints Get Targeted?
The most vulnerable part of a Keycloak deployment is also its most exposed: the login page.
Commonly targeted endpoints:
/realms/{realm}/protocol/openid-connect/auth/realms/{realm}/protocol/openid-connect/token/realms/{realm}/account//realms/{realm}/login-actions/authenticate- Password reset and registration endpoints
These routes are exposed by design. If your login page is available to users around the world, it’s available to bots and attackers too.
So, When Should You Consider a WAF?
A WAF can protect your Keycloak deployment from a wide range of threats that Keycloak itself is not built to handle, such as:
- DDoS attacks targeting login endpoints
- Bot-driven enumeration attacks (e.g., slow username probing)
- IP spoofing or rotation attempts
- Malformed request injection or protocol abuse
A WAF provides layer 7 security, filtering traffic based on behavior, headers, and known attack patterns.
You might consider a WAF if:
- You expose Keycloak login pages publicly to thousands/millions of users
- You run multi-tenant or CIAM deployments
- You’ve experienced repeated attack attempts (or near misses)
- You need deeper visibility and mitigation for L7 (application-level) traffic
- You want geo-blocking, bot detection, or rate limiting with fine control
Real-World Example: What a DDoS Can Look Like
A team running Keycloak recently shared their experience dealing with a multi-phase login enumeration DDoS attack:
- Attackers gradually increased pressure, beginning with low-rate enumeration
- A misconfiguration allowed for excessive open connections that exhausted resources
- Over time, they escalated to thousands of login requests per minute
- Sophisticated use of IP rotation made IP bans ineffective
Even though no data was breached, the attack overwhelmed infrastructure and required layered mitigation—including a WAF to filter malicious patterns without affecting legitimate traffic.
Phase Two has helped customers build resilient defenses to ensure they're ready before attackes like this happens.
How to Architect Defenses Around Keycloak
Whether or not you use a WAF, we recommend the following layered defense strategy. Using some or all of these can help.
Keycloak Brute Force & Session Policies
Enable built-in brute force detection, set aggressive session expiration limits, and disable unused endpoints like user registration.
WAF (Optional but Recommended)
Use a WAF like Cloudflare, AWS WAF, or Fastly to block known bad actors and patterns. Look for features like:
- Rate limiting by path (e.g.,
/auth) - Bot management
- CAPTCHA or JS challenge enforcement
- Real-time threat feeds
As part of Phase Two's Enterprise hosting we provide the ability to integrate the WAF of your choosing along with your infrastructure.
Monitoring & Anomaly Detection
Log traffic and authentication events. Set up alerts for spikes in failures, long-lived sessions, or abnormal IP geographies. Phase Two's built-in monitoring is already pre-configured to note changes in traffic and abnormal patterns.
Reverse Proxy
Use NGINX or Envoy in front of Keycloak to terminate TLS, cache static assets, and enforce basic rate limits.
So, Do You Need a WAF?
If you're running Keycloak inside a secure corporate network and exposing login only to employees, maybe not.
But if you're serving external users—especially at scale—the answer leans strongly toward yes.
Even the most robust IAM systems can be overwhelmed by network-level threats they weren’t built to handle. A WAF isn’t a silver bullet—but it’s a strong, smart addition to a well-architected identity stack. Defense-in-depth is truly the only option for full network security of any web property.
How Phase Two Helps
At Phase Two, we specialize in managing and securing Keycloak at scale. Our hosted platform includes:
- Hardened Keycloak configurations
- Pre-integrated reverse proxy protections
- Best-practice DDoS and abuse mitigation
- Optional WAF integrations
- 24/7 observability and response tooling
We help teams design IAM infrastructure that’s not just compliant—but resilient.
Want to talk WAFs, login security, or DDoS mitigation?