Confirmed consultants for SSO, Authentication or identity management.

OAuth2.0, OpenID Connect with solutions like Keycloak, Ory Hydra or Gluu Server

| See what we do every day


Senior consultant, worked for companies like Berger-Levrault or OVH.

SSO specialist architect with multiple user sources (LDAP, AD, other IDPs)

Favorite work tool : a white board.


Senior consultant, worked on complex systems from conception to development.

Can adapt Keycloak for ANY use case by high skills and knowledge in extensions development.

Favorite work tool : a fully functional prototype

We helped them

Technical blog

An authenticator to check your Keycloak version

Introduction to authenticator development : display an alert message during login process if Keycloak is not up to date

Posted on Thu 07 March 2024

Use openid connect authentication in n8n workflow

Authenticate users in n8n workflow with openid connect, example with Keycloak.

Posted on Wed 29 November 2023

Our vision about authorizations

After years of consulting, we created our own authorization platform that perfectly fits with all needs we have seen.

Posted on Mon 06 November 2023

Keycloak config checker

Check bad configuration in Keycloak, connected to your monitoring.

Posted on Thu 28 September 2023

Deploy PostgREST on Clever-Cloud

Postgrest is an API generator from PostgreSQL databases, let's see how we can deploy and use it on Clever-Cloud.

Posted on Fri 18 August 2023

Keycloak as SSO for Airtable

Use your own Keycloak as SSO for Airtable.

Only available for the "enterprise" plan, you can add your own SSO to your Airtable organization. Lets take a look how to integrate Keycloak.

Posted on Fri 10 March 2023

ACR (Authentication Context Class Reference) and LOA (Level Of Authentication) with Keycloak, support in oidc-bash

Keycloak now supports Authentication Context Class Reference parameter for different Level of Authentication. It means that you can define different level of authentication in a single flow.

Posted on Wed 8 November 2022

A bash client for the CIBA OpenId Connect protocol

A little tool written in bash for understanding CIBA authentication protocol.

Posted on Wed 26 October 2022

Retrieve external IDP tokens in Keycloak

When you add external identity providers to your Keycloak Realm, it retrieves tokens from your identity providers, then sends back to your application a new access_token from your Keycloak Realm.

What about the original token ?

Posted on We 20 October 2022

Postgres Oauth2 authentication

How and why we added a module for postgres authentication that supports oauth2. This PAM module is also usable for all Unix authentication methods.

Posted on Thu 01 September 2022

Transient sessions in Keycloak : save your cache performances !

Keycloak generates a session on each user login. Those sessions are replicated in infinispan caches. Sometimes, we only need a token, not a session. This is how to do it.

Posted on We 16 March 2022

Keycloak.X in Kubernetes : deploy a cluster

Keycloak.x will become the reference soon.

According to the Blog Post, Keycloak 18 will not support Wildfly, after that no wildfly version... Now it is time to migrate !

We are still waiting for a Kubernetes operator with Keycloak.X, in this post we will see how to build your own cluster based on Keycloak.X 16.1.0

Posted on We 05 January 2022

Keepass in the system tray with quick access

At please-open.it we use Keepass for passwords management. This simple and open source solution gives us entire satisfaction, only with a shared file on our internal cloud.

We tried to improve a lot the user experience by creating the simpliest passwords manager application.

Posted on Mo 03 January 2022

UMA 2.0 from the begining : how to use it with bash

UMA 2.0 is known as a delegation of authorizations standard. Keycloak is fully compatible with UMA 2.0.

With a bash tool developped by please-open.it, let's see how to use UMA 2.0

This article explains what is UMA 2.0 with an example using our new bash tool : uma-bash-client.sh

Posted on Fr 13 August 2021

Device code flow in Keycloak

Keycloak 13.0 now supports device code flow. Lets take a tour of how to use it.

Posted on Thr 06 May 2021

Action token for external user file download management

Action tokens are a particular type of token that allows unauthenticated users to perform some limited and predefined actions.

In this article we will see how to use them to create authenticated download links with a simple and short PHP script intended to run on shared web hosting.

Posted on Fri 09 April 2021

Authentication - feel the user experience

There are several methods for authentication : certificates, passwords, pincode, webauthn, One Time Password...

Choosing an authentication method is not a technical choice : it has hudge impacts on security but also on User eXperience.

This article shows several demos, built with Keycloak, and let you have a perception of User eXperience for each authentication method.

Posted on Fri 02 April 2021

Action token, an idea for newsletter authentication

Action tokens are a particular type of token that allows unauthenticated users to perform some limited and predefined actions.

Usual use case are :

  • E-mail confirmation
  • Credentials reset
  • Execute required action(s)
  • and any action relevant with the flow and your use cases...

This article explains what is an action token and how to use it to authenticate users from a link inside a newsletter

Posted on Fri 08 January 2021

Keycloak.X as a service

A year ago, Keycloak Team introduced Keycloak.X distribution : https://www.keycloak.org/2019/10/keycloak-x

We were very excited about this project :

  • Lighter
  • Easier to scale
  • Continuous delivery
  • and more...

Now, our infrastructure has migrated to Keycloak.X. Any (free) account on our plateform is now running on Keycloak.X distribution.

Posted on Mon 22 December 2020

LDAP integration on Keycloak

A link between an LDAP directory to Keycloak could be considered as a "must have". Many times, companies want to connect their directory to a Keycloak. Keycloak could be considered as an "OpenId Connect proxy" between webapps and an Active Directory.

Keycloak can retrieve users from LDAP, synchronize groups, roles or custom attributes. Let's have a complete tour of what you can do with this connector.

Posted on Mon 27 September 2020


Authorization code grant (also named "auth_code") is one of the most popular authentication method on the web. Every oauth2 provider implements this flow which is the best for web authentication. Facebook, Google, Twitter, Linkedin... all of them use it (or partially, we will explain why).

Posted on Wed 02 July 2020

(fr) Autoriser les accès à mon API à des services tiers

Autoriser les accès à mon API à des services tiers :

  • définir des rôles par pattern d'API (Java Spring)
  • attribuer des rôles aux utilisateurs
  • définir des scopes : données et rôles associés
  • exposer votre API : donner un Client au développeur
  • le consentement de l'utilisateur "Consent Screen"
  • la révocation du consentement utilisateur
Créez un compte utilisateur pour suivre les démos (email optionnel) : https://webinaire.please-open.it
Une seconde implémentation, par un client externe : https://www.mathieupassenaud.fr/webinaire
serveur oauth : app.please-open.it/auth
realmid : 122aa842-0cf0-48e6-a5bc-cca00254a9bb

Posted on Wed 23 April 2020

OpenVPN and Keycloak : Link your VPN Infrastructure with your SSO

OpenVPN allows usage of PAM modules. By using an oauth2 client PAM module and password grant, we can use our own SSO (Keycloak) to authenticate users on a VPN infrastructure.
For Oauth2 providers which do not allow Password Grant, we will use a "token authentication" by providing a valid token instead of a password. Code and demo with Google as authentication provider.

Posted on Thu 2 April 2020

(fr) Oauth2 pour les ops

Oauth2 dans le monde des ops :

  • mise en place d'un realm keycloak : clients, flows, rôles
  • intégration sur des apps avec support oauth2 : démo avec Grafana
  • Ajouter un support oauth2 sur une app : proxy d'authentification en LUA avec Nginx pour jenkins (authentification par headers)
  • Proxy d'authentification en LUA avec vérification des droits (introspection) pour la mise à disposition de fichiers
  • authentification SSH/SFTP utilisant Direct Access Grant et un module PAM
  • Aller plus loin : Mappers dans Keycloak, comment personnaliser les infos et les tokens

Posted on Wed 25 March 2020

Load More

Our Services


With your team, and a white board, understanding the possibilities of a SSO for your use cases.


Ensure the security and efficiency of your authentication systems through our comprehensive audit services


Need custom login actions ? Specific identity providers or users databases ? Almost everything is possible


Craft robust and scalable authentication architectures tailored to your business objectives.

Contact us

Any question ? Want more information ? Follow us or you can reach out to us via email.