Halil Özkan
CTO @ Keymate
Istanbul, Turkey
Actions
Halil Özkan is the CTO and co-founder of Keymate, an enterprise-grade Identity and Access Management platform built on Keycloak.
A passionate technology leader and entrepreneur, he combines deep expertise in Java, APIs, and cloud-native architectures with a strong commitment to open-source innovation, education, and digital transformation.
Area of Expertise
Zero-Code Service Authorization on Kubernetes: Keycloak Decisions Enforced with Istio Ambient
Modern Kubernetes environments require consistent service-to-service authorization without pushing policy logic into application code. In this session, we demonstrate a zero-code authorization model that centralizes policy decisions in Keycloak and enforces them transparently at the service mesh layer.
Using Istio Ambient Mode and waypoint proxies, we implement a WebAssembly-based Policy Enforcement Point (PEP) that evaluates each HTTP request at L7. Applications remain unchanged while authorization is handled entirely at the platform layer.
We also show how to make authorization observable by combining standard mesh telemetry (L4/L7) with domain-specific authorization signals exported through OpenTelemetry to an in-cluster Collector. The session includes a live demonstration of this architecture running on Kubernetes and discusses practical trade-offs such as decision latency and future optimization paths.
DPoP in Practice: Preventing Token Replay Attacks with Keycloak
Bearer tokens are convenient — but dangerously vulnerable to replay attacks if stolen. In this session, we dive into DPoP (Demonstrating Proof-of-Possession) bound token support in Keycloak (currently in preview mode) and showcase a real proof-of-concept (PoC) implementation.
You’ll see how to enable DPoP in Keycloak, configure clients (public and confidential) to require DPoP proof, generate DPoP proofs in client code, and observe Keycloak rejecting invalid or absent proofs. Alongside the demo, I’ll share lessons learned, adapter limitations, and how DPoP might be enforced at the API Gateway level.
By the end of this talk, you’ll understand when and how DPoP can be applied in real-world Keycloak deployments — and be ready to make informed decisions for your own architectures.
Keymate – Modern Authorization for Developers
Keymate is the missing piece for Keycloak-based access control.
Built natively on Keycloak and OpenFGA, it adds fine-grained, risk-adaptive, and data-sensitive authorization — all without replacing your IAM.
✔ Plug into any Keycloak (or other IAM) with zero migration
✔ SDKs for Java, .NET, JS — with @permission annotations
✔ Built-in “Why Denied?” simulations and visual DSL
✔ Support for ReBAC, PBAC, RADAC, DSAC
✔ Organization-aware tokens and multi-tenant delegation
✔ Fully event-driven and OpenTelemetry-native
For developers, for teams, for IAM at scale — powered by Keycloak, extended by Keymate.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top