Halil Özkan
CTO @ Keymate
Istanbul, Turkey
Actions
Halil Özkan is the CTO and co-founder of Keymate, an enterprise-grade Identity and Access Management platform built on Keycloak.
A passionate technology leader and entrepreneur, he combines deep expertise in Java, APIs, and cloud-native architectures with a strong commitment to open-source innovation, education, and digital transformation.
Area of Expertise
DPoP in Practice: Preventing Token Replay Attacks with Keycloak
Bearer tokens are convenient — but dangerously vulnerable to replay attacks if stolen. In this session, we dive into DPoP (Demonstrating Proof-of-Possession) bound token support in Keycloak (currently in preview mode) and showcase a real proof-of-concept (PoC) implementation.
You’ll see how to enable DPoP in Keycloak, configure clients (public and confidential) to require DPoP proof, generate DPoP proofs in client code, and observe Keycloak rejecting invalid or absent proofs. Alongside the demo, I’ll share lessons learned, adapter limitations, and how DPoP might be enforced at the API Gateway level.
By the end of this talk, you’ll understand when and how DPoP can be applied in real-world Keycloak deployments — and be ready to make informed decisions for your own architectures.
Keymate – Modern Authorization for Developers
Keymate is the missing piece for Keycloak-based access control.
Built natively on Keycloak and OpenFGA, it adds fine-grained, risk-adaptive, and data-sensitive authorization — all without replacing your IAM.
✔ Plug into any Keycloak (or other IAM) with zero migration
✔ SDKs for Java, .NET, JS — with @permission annotations
✔ Built-in “Why Denied?” simulations and visual DSL
✔ Support for ReBAC, PBAC, RADAC, DSAC
✔ Organization-aware tokens and multi-tenant delegation
✔ Fully event-driven and OpenTelemetry-native
For developers, for teams, for IAM at scale — powered by Keycloak, extended by Keymate.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top