What Keycloak version do you use?

We deploy Keycloak 26.x (latest stable) for all new projects. For existing deployments, we offer migration paths from Keycloak 18+ (including the legacy WildFly-based versions) to the modern Quarkus-based distribution.

How long does a typical project take?

Simple implementations (passkeys, theming) take 5-10 business days. Multi-tenancy and HA clusters typically take 2-3 weeks. Full CIAM overhauls run 4-6 weeks. We provide exact timelines in our fixed-price proposals.

Can you migrate us from Okta, Auth0, or Firebase Auth?

Yes. We have battle-tested migration playbooks for Okta, Auth0, Firebase Auth, AWS Cognito, and Azure AD B2C. We handle user migration, session continuity, and social login re-linking with zero downtime.

What does 'fixed price' mean? Are there hidden costs?

Our quotes are all-inclusive. The price covers discovery, architecture, implementation, testing, deployment, documentation, and 30-day warranty support. Infrastructure costs (cloud hosting) are separate and transparently estimated upfront.

Do you offer ongoing managed services?

Yes. Our Managed Keycloak-as-a-Service starts at $1,800/month and includes 24/7 monitoring, patching, scaling, security updates, and incident response. Think of it as your dedicated Keycloak ops team without the hiring overhead.

Is Keycloak really enterprise-ready?

Absolutely. Keycloak is backed by Red Hat (IBM), powers thousands of enterprise deployments globally, and is the upstream for Red Hat SSO. It supports SAML 2.0, OIDC, LDAP/AD federation, and every enterprise SSO protocol you need.

What about vendor lock-in?

Zero. Keycloak is 100% open source (Apache 2.0). You own your deployment, your data, and your configuration. Everything we build is yours — full source code, Terraform configs, and documentation included in every project.

Do you work with our existing DevOps team?

Yes. We integrate seamlessly with your existing CI/CD pipelines, cloud infrastructure, and DevOps workflows. We provide Terraform/OpenTofu IaC, Helm charts, and comprehensive runbooks so your team can maintain the deployment independently.

Keycloak LinkedIn Identity Provider: OIDC Setup

Introduction

LinkedIn switched from OAuth 2.0 to OIDC in 2023 with the Sign In with LinkedIn using OpenID Connect product. The older OAuth 2.0 product was deprecated and removed. If you set up LinkedIn login before 2023, you need to migrate to this product.

Keycloak doesn't have a built-in LinkedIn provider type, so you use the generic OpenID Connect v1.0 provider with LinkedIn's discovery URL. The setup takes about 15 minutes.

How identity brokering works

The login flow goes: user clicks "Sign in with LinkedIn" → Keycloak redirects to LinkedIn → user authorizes your app → LinkedIn sends an authorization code to Keycloak's broker endpoint → Keycloak exchanges it for tokens → Keycloak creates or links the user → user lands in your application.

The redirect URI you register in the LinkedIn Developer Portal is:

https://keycloak.example.com/realms/YOUR_REALM/broker/linkedin-oidc/endpoint

The alias linkedin-oidc appears in this URL. You set this alias when creating the identity provider in Keycloak.

Prerequisites

Keycloak 24+ running on HTTPS
A Keycloak realm with admin access
A LinkedIn account and a company page (required to create a LinkedIn app)

Step 1 — Create a LinkedIn app

In the LinkedIn Developer Portal at developer.linkedin.com:

My apps → Create app
App name: your application name
LinkedIn Page: select or create your company page
App logo: upload a 100x100px logo
Click Create app

A company page is required. You can create a free LinkedIn page if your organization doesn't have one yet.

The LinkedIn page is required for the app — it appears in the authorization dialog users see when they sign in with LinkedIn

LinkedIn apps don't come with OIDC by default. You request access to the product:

In your app, go to the Products tab
Find Sign In with LinkedIn using OpenID Connect
Click Request access
Accept the legal terms

LinkedIn app Products tab showing Sign In with LinkedIn using OpenID Connect with a Request access button — This is the correct product for OIDC-based authentication — the older Sign In with LinkedIn product is deprecated

Access is typically granted within a few minutes. The product moves from "Request access" to an "Added" or active state. After it's added, the Auth tab shows the OIDC scopes: openid, profile, email.

These three scopes come from the OIDC product — no additional scopes are needed for basic sign-in

Step 3 — Configure the redirect URL

In the app's Auth tab:

OAuth 2.0 settings → Authorized redirect URLs for your app → Add URL
Enter: https://keycloak.example.com/realms/YOUR_REALM/broker/linkedin-oidc/endpoint
Click Update

LinkedIn app Auth tab showing the Authorized redirect URLs section with the Keycloak broker endpoint URL added to the list — LinkedIn's redirect URL validation is strict — copy the URL directly from Step 4 below once you know the alias

Step 4 — Copy the Client ID and Client Secret

In the Auth tab:

Application credentials section
Copy the Client ID
Click Generate next to Client Secret (or Show if already generated), then copy

LinkedIn app Auth tab showing the Application credentials section with Client ID displayed and a Client Secret field with a Generate button — Generate the secret once — rotate it in the LinkedIn portal if it needs to change, then update the Keycloak IDP config

Step 5 — Configure the Identity Provider in Keycloak

In the Keycloak admin console:

Select your realm
Identity Providers → Add provider → OpenID Connect v1.0
Alias: linkedin-oidc
Display name: LinkedIn
Discovery Endpoint: https://www.linkedin.com/oauth/.well-known/openid-configuration
Client ID: paste from Step 4
Client Secret: paste from Step 4
Default Scopes: openid profile email

Click Add.

Keycloak admin console Identity Providers showing OpenID Connect v1.0 provider form with Alias set to linkedin-oidc, Display name set to LinkedIn, and the Discovery Endpoint containing the LinkedIn OIDC discovery URL — After saving, Keycloak fetches the discovery document and pre-fills the authorization, token, and userinfo URLs automatically

The discovery URL Keycloak needs is:

https://www.linkedin.com/oauth/.well-known/openid-configuration

Verify the alias is linkedin-oidc — it must match the alias in the redirect URI you registered in Step 3. If you choose a different alias, update the redirect URL in the LinkedIn Developer Portal to match.

Step 6 — Configure attribute mappers

LinkedIn's OIDC token includes these claims:

Claim	Description
`sub`	Unique LinkedIn user ID
`name`	Full name
`given_name`	First name
`family_name`	Last name
`email`	Email address
`picture`	Profile photo URL
`locale`	Locale string (e.g., `en_US`)

Keycloak's generic OIDC provider doesn't add default mappers, so add them manually:

Identity Providers → LinkedIn-oidc → Mappers → Add mapper

Email mapper:

Mapper type: Attribute Importer
Name: email
Claim: email
User Attribute Name: email

First name mapper:

Mapper type: Attribute Importer
Name: firstName
Claim: given_name
User Attribute Name: firstName

Last name mapper:

Mapper type: Attribute Importer
Name: lastName
Claim: family_name
User Attribute Name: lastName

Keycloak Identity Provider Mappers list for the LinkedIn provider showing email, firstName, and lastName attribute importers — Without these mappers, new Keycloak users created via LinkedIn login have no name or email stored in their profile

In Identity Providers → LinkedIn-oidc → Settings → First Login Flow, the default first broker login:

Prompts the user to review their profile once on first login
Checks if a Keycloak account already exists with the same email
If a match exists, prompts account linking
If no match, creates a new Keycloak user

Set Sync Mode to force if you want LinkedIn to be the source of truth for name and email on every login.

Keycloak LinkedIn Identity Provider Settings showing First Login Flow set to first broker login and Sync Mode dropdown — Use force sync if users update their LinkedIn profile and you want Keycloak to reflect those changes automatically

Open a private browser window and go to your Keycloak realm login page. A LinkedIn button appears below the standard login form.

Keycloak login page showing the username/password form with a LinkedIn button below — The button label uses the Display Name you set when creating the provider — LinkedIn in this case

After logging in with LinkedIn, confirm the federated account: Keycloak admin → Users → find the user → Identity Provider Links tab. The external user ID is the LinkedIn sub value.

Keycloak User detail page Identity Provider Links tab showing a linkedin-oidc row with the LinkedIn sub value as the external user ID — The alias in the Provider column matches the alias you set in Step 5 — linkedin-oidc

Troubleshooting common issues

"Bummer, something went wrong" on LinkedIn authorization page

The LinkedIn app hasn't had the Sign In with LinkedIn using OpenID Connect product activated, or the access request is pending. Check the Products tab in the Developer Portal and confirm the product shows as active. Also check that the OAuth 2.0 scopes list includes openid, profile, and email.

"The redirect_uri does not match"

The redirect URI registered in the LinkedIn Developer Portal and the one Keycloak sends must match exactly. Check the alias in Keycloak — if it's linkedin-oidc, the registered URI must end with /broker/linkedin-oidc/endpoint. Copy the Redirect URI directly from the Identity Provider settings panel in Keycloak.

Discovery endpoint returns 404

This can happen if LinkedIn's OIDC product hasn't been fully activated on the app. Wait a few minutes after requesting access, then try again. The discovery URL is:

https://www.linkedin.com/oauth/.well-known/openid-configuration

Confirm it returns a valid JSON document by opening it in a browser before entering it in Keycloak.

Users can log in but name fields are blank

The attribute mappers in Step 6 weren't added, or the claim names don't match. LinkedIn sends given_name and family_name, not firstName and lastName. The mapper translates between them — the Claim field uses LinkedIn's name, the User Attribute Name field uses Keycloak's name.

"Error: invalid_client" during token exchange

The Client Secret is wrong or expired. Go to the LinkedIn Developer Portal → Auth tab → Application credentials and generate a new secret. Update the Keycloak IDP configuration with the new value.

Production checklist

Sign In with LinkedIn using OpenID Connect product activated and showing as active
Redirect URI in LinkedIn Developer Portal matches Keycloak alias exactly
Client secret stored outside source control
Attribute mappers configured for email, firstName, and lastName
Discovery endpoint verified by opening in browser before configuring Keycloak
Sync Mode chosen deliberately
Tested with an account that has a verified email on LinkedIn

Need help integrating LinkedIn with Keycloak?

We deliver production-ready LinkedIn + Keycloak integrations in 1–3 weeks.

Fixed-price, zero vendor lock-in, full source code ownership.

See integration packages