The countdown is officially on. In just a few weeks, the cloud-native ecosystem meets in Yokohama for KubeCon + CloudNativeCon Japan 2026. Taking place on Tuesday, July 28 from 09:00 – 12:30, KeycloakCon Japan brings together maintainers, enterprise architects, and core contributors for a half-day, single-track intensive event.
If you are building modern cloud platform infrastructure, securing software supply chains, or wrestling with autonomous AI agent governance, read why you need to add KeycloakCon to your KubeCon + CloudNativeCon pass.
Identity for the AI Era: Solving the “Confused Deputy” and MCP Governance
The dominant theme of KeycloakCon Japan 2026 is the explosive shift toward autonomous AI agents and the Model Context Protocol (MCP). When an AI agent acts on behalf of a human user, calls downstream APIs, and crosses trust boundaries, traditional authorization boundaries collapse. KeycloakCon dedicates a major portion of the morning to solving this challenge based on the open identity standards already included in Keycloak.
- The Architecture Blueprint: Yuxiang Lin (Midships Global) cuts through market hype to make the enterprise case that purpose-built AI identity vendors are an unnecessary dependency. The core primitives—OAuth 2.0 token delegation, token exchange, fine-grained scope enforcement, and audit trails—are already production-ready in Keycloak.
- Identity Chaining & ID-JAG: Yutaka Obuchi (Hitachi, Ltd.) and Tatsuya Yano (LY Corporation) tackle the technical implementation of Identity Assertion JWT Authorization Grants (ID-JAG). Yutaka demonstrates how to extend Keycloak’s Token Exchange Provider to externalize authorization from fragmented MCP servers. Tatsuya brings massive-scale real-world context from the infrastructure powering LINE and Yahoo! JAPAN, showing how to unify Keycloak with CNCF Athenz to prevent the notorious “Confused Deputy” vulnerability.
- Zero-Trust, Keyless AI Agents on Kubernetes: Mustafa Dayıoğlu (TUBITAK) takes a deep dive into some of the latest Keycloak features. He showcases a keyless MCP workload identity pattern on Kubernetes that leverages SPIRE for runtime identity (JWT-SVIDs) and DPoP to block token replay—resulting in zero static credential files and zero human-created Keycloak clients.
- The Bigger Picture: Takashi Norimatsu (Hitachi, Ltd.) delivers a keynote highlighting how active open-source contribution is foundational to sustaining safe, enterprise-grade AI within critical social and enterprise infrastructure.
Hardening Cloud-Native Infrastructure: From Build Pipelines to Service Meshes
Identity extends far beyond the user login screen. Modern cloud-native platform engineering requires verifying identities inside automated pipelines and between ephemeral microservices seamlessly.
- Binding Human Identity to Code Signatures: Most organizations treat artifact signing (Sigstore) and user management (Keycloak) as isolated silos. Oshi Gupta (Infracloud Technologies) and Sagar Utekar (Crowdstrike) demonstrate how to wire Keycloak directly into Sigstore’s keyless signing flow as the OIDC provider, ensuring every build signature is cryptographically bound back to a verified identity in your trust domain. They will cover exact Fulcio configurations and how to handle token expiry during long automated builds.
- Platform-Level Service Authorization: Halil Özkan (Keymate) delivers a highly technical lightning talk on using Keycloak Authorization Services as a centralized platform control plane. Using Istio Ambient mode, waypoint proxies, and a WebAssembly (WASM) enforcement extension, he shows how to evaluate service-to-service HTTP requests without modifying application code, complete with live latency and reliability trade-off analysis.
Production Operational Survival & Project Evolution
Operating identity platforms at scale means managing long-term lifecycles, avoiding breaking changes, and staying ahead of the project roadmap.
- The Ticking Certificate Timebomb: Organizations that adopted Keycloak in the late 2010s are hitting a major milestone: the hardcoded 10-year expiry of built-in realm signing certificates. Hiroyuki Wada (Nomura Research Institute, Ltd.) breaks down why global realm key rotation is an extreme operational risk for mixed OIDC/SAML enterprise environments. He introduces a vital upstream solution: per-client signing key selection, allowing risk-free, client-by-client migration.
- What’s New & Next: Keycloak maintainer Alexander Schwartz (IBM) delivers a fast-paced lightning talk and demo exploring the latest cloud-native features landed in Keycloak. Discover how the project is expanding support for machine identities (via SPIFFE/SPIRE and Kubernetes tokens), strong human authentication via Passkeys, and automated user cross-domain synchronization using SCIM.
Networking, Community, and Evening Reception
KeycloakCon is fundamentally a community-driven space. Outside of the technical tracks, you can connect directly with core maintainers and peer architects during the dedicated coffee breaks.
- The Celebration: After an intense morning of identity deep-dives and a full day of KubeCon co-located events, unwind at the official Evening Reception sponsored by Octopus Deploy (17:00 – 18:15) for drinks, appetizers, and casual networking.
- All Week Long: Don’t forget to visit the Keycloak Kiosk at Level 3 during the afternoon project hours to grab stickers, participate in our feature roadmap survey, and sync up with the ecosystem contributors.
Registration Details
KeycloakCon Japan is an add-on option for KubeCon + CloudNativeCon Japan 2026. This is the perfect opportunity for local and traveling platform engineers already heading to Yokohama to maximize their security track coverage.
- Date: Tuesday, July 28, 2026
- Time: 09:00 – 12:30 (Followed by the joint evening reception at 17:00)
- Location: Pacifico Yokohama, 3rd Floor, Rooms 313+314
Secure Your Seat: Space is limited by room capacity. Log into your Linux Foundation KubeCon + CloudNativeCon registration dashboard and add KeycloakCon to your pass.