102 Security Tests

Every validation rule is verified with automated tests covering OIDC, SAML, Admin API, and token response security.

Test Categories

Our test suite covers all aspects of Keycloak security validation.

OIDC Validation

15 Tests

Grant type enforcement, scope validation, PKCE, state/nonce, redirect URI.

Details

SAML Security

8 Tests

XXE prevention, signature wrapping detection, algorithm enforcement.

Details

Admin API Protection

12 Tests

Endpoint whitelist, master realm blocking, export prevention, bulk detection.

Details

Token Validation

10 Tests

JWT algorithm, lifetime, claim leakage, token size, structure validation.

Details

Redirect URI Security

8 Tests

HTTPS enforcement, localhost blocking, private IP blocking, fragment detection.

Details

Realm & Client Isolation

6 Tests

Realm whitelist, client ID validation, per-client policy enforcement.

Details

Security Headers

5 Tests

HSTS, CSP, X-Content-Type-Options, X-Frame-Options enforcement.

Details

Injection Prevention

18 Tests

SQL injection, XSS, path traversal, request smuggling detection.

Details

Rate Limiting

8 Tests

Per-IP and per-client rate limiting, connection limiting, brute force detection.

Details

Edge Cases

12 Tests

Malformed tokens, encoding attacks, boundary analysis, error handling.

Details

Bidirectional Validation

Request Validation (16 Steps)

Every incoming request passes through the full 16-step validation pipeline:

  • OIDC grant type and scope enforcement
  • PKCE and state/nonce validation
  • Admin API endpoint whitelist
  • SAML XXE and signature wrapping prevention
  • SQL injection and XSS detection

Response Validation (9 Steps)

Every response from Keycloak is validated before reaching clients:

  • JWT algorithm and structure validation
  • Token lifetime enforcement
  • Claim leakage detection
  • Security header enforcement
  • Discovery document and JWKS inspection

Compliance Mapping

Our tests are aligned with industry standards and regulations.

ISO 27001

Controls for access control, cryptography, and operational security.

OWASP Top 10

Full coverage of OWASP API Security Top 10 risks.

BSI Grundschutz

IT baseline protection modules for web applications and identity management.

BAIT/VAIT

Financial sector-specific requirements from BaFin.