Session
DPoP in Practice: Preventing Token Replay Attacks with Keycloak
Bearer tokens are convenient — but dangerously vulnerable to replay attacks if stolen. In this session, we dive into DPoP (Demonstrating Proof-of-Possession) bound token support in Keycloak (currently in preview mode) and showcase a real proof-of-concept (PoC) implementation.
You’ll see how to enable DPoP in Keycloak, configure clients (public and confidential) to require DPoP proof, generate DPoP proofs in client code, and observe Keycloak rejecting invalid or absent proofs. Alongside the demo, I’ll share lessons learned, adapter limitations, and how DPoP might be enforced at the API Gateway level.
By the end of this talk, you’ll understand when and how DPoP can be applied in real-world Keycloak deployments — and be ready to make informed decisions for your own architectures.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top