diff --git a/.gitignore b/.gitignore
index 4c8afd189c..3fd781ff2c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@
 
 # Builds
 build/*
+site/
 
 # Docker persistent data
 volumes/*
diff --git a/.prettierignore b/.prettierignore
index 9848a45899..2dffeffe52 100644
--- a/.prettierignore
+++ b/.prettierignore
@@ -17,7 +17,7 @@ pnpm-lock.yaml
 
 # Ignore artifacts
 phpmyfaq/assets/public/
+site/
 
 # Ignore PNPM Cache
 .pnpm-store
-
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b37f6dd629..12d6d34292 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 - added optional Redis support for configuration caching (Thorsten)
 - added LDAP configuration frontend (Thorsten)
 - added phpMyFAQ recent news widget to the admin dashboard (Thorsten)
+- added experimental support for Keycloak (Thorsten)
 - added experimental support for API key authentication via OAuth2 (Thorsten)
 - added experimental per-tenant quota enforcement and API request rate limits (Thorsten)
 - added SBOM (Software Bill of Materials) generation (Thorsten)
diff --git a/composer.json b/composer.json
index 497577392a..a64f287aea 100644
--- a/composer.json
+++ b/composer.json
@@ -135,6 +135,7 @@
     "test:coverage": "./phpmyfaq/src/libs/bin/phpunit --coverage-text",
     "test:coverage-html": "./phpmyfaq/src/libs/bin/phpunit --coverage-html coverage",
     "bench": "./phpmyfaq/src/libs/bin/phpbench run tests/Benchmarks --report=aggregate",
+    "docs:build": "mkdocs build --strict",
     "version:get": "php scripts/get-version.php",
     "version:sync": "pnpm version $(php scripts/get-version.php) --no-git-tag-version --allow-same-version",
     "version:check": "php scripts/check-version.php"
diff --git a/docs/administration.md b/docs/administration.md
index d10909167a..817556db3e 100644
--- a/docs/administration.md
+++ b/docs/administration.md
@@ -499,7 +499,7 @@ Navigate to the **Configuration → Translation** tab to configure your translat
 - **Amazon**: AWS Access Key ID, Secret Access Key, and region
 - **LibreTranslate**: Server URL and optional API key
 
-For detailed setup instructions for each provider, see the [AI Translation Guide](9-ai-translation.md).
+For detailed setup instructions for each provider, see the [AI Translation Guide](ai-translation.md).
 
 #### 5.2.13.3 Translating Content
 
@@ -596,7 +596,7 @@ The AI will translate:
 - Re-translate if formatting is broken
 
 For comprehensive documentation, see:
-- [Complete AI Translation Guide](9-ai-translation.md) - Full documentation
+- [Complete AI Translation Guide](ai-translation.md) - Full documentation
 
 ## 5.3 Statistics
 
@@ -791,7 +791,7 @@ To back up the whole data located on your web server, you can run our simple bac
 Here you can edit the general, FAQ specific, search, spam protection, spam control center, SEO related, layout
 settings, Mail setup for SMTP, API settings, online update settings, and if enabled, LDAP configuration of phpMyFAQ.
 
-You can find a detailed description of all settings in the [Configuration key reference](8-configuration.md).
+You can find a detailed description of all settings in the [Configuration key reference](configuration.md).
 
 ### 5.6.2 FAQ Multi-sites
 
@@ -871,7 +871,80 @@ On this page, phpMyFAQ displays some relevant system information like PHP versio
 Please use this information when reporting bugs. Additionally, you can check the status of all translation files and see 
 if there are any missing translations.
 
-## 5.7 Using Microsoft Entra ID
+## 5.7 Using external identity providers
+
+phpMyFAQ can integrate with external identity providers for administrator and frontend logins.
+
+### 5.7.1 Using Keycloak
+
+Keycloak support uses OpenID Connect Authorization Code flow with PKCE.
+You can enable it in the administration under `Configuration` -> `Security` -> `Keycloak`.
+For a worked configuration example, see the dedicated [Keycloak Integration guide](keycloak.md).
+
+Recommended Keycloak client settings:
+
+- Client type: confidential
+- Standard flow enabled
+- Direct access grants disabled unless you need them for other tools
+- PKCE code challenge method: `S256`
+- Root URL: `https://faq.example.com/`
+- Home URL: `https://faq.example.com/`
+- Valid redirect URI: `https://faq.example.com/auth/keycloak/callback`
+- Valid post logout redirect URI: `https://faq.example.com/`
+- Web origin: `https://faq.example.com`
+
+Minimum phpMyFAQ configuration:
+
+1. Enable `Keycloak sign-in`
+2. Set the `Keycloak base URL`, for example `https://sso.example.com`
+3. Set the `Realm`
+4. Set the `Client ID`
+5. Set the `Client secret`
+6. Set the `Redirect URI` to your phpMyFAQ callback URL
+7. Keep `Scopes` at least on `openid profile email`
+8. Optionally set `Logout redirect URL` to the page users should see after provider logout
+
+Example phpMyFAQ values for a production setup:
+
+- `keycloak.baseUrl`: `https://sso.example.com`
+- `keycloak.realm`: `faq`
+- `keycloak.clientId`: `phpmyfaq`
+- `keycloak.redirectUri`: `https://faq.example.com/auth/keycloak/callback`
+- `keycloak.scopes`: `openid profile email`
+- `keycloak.logoutRedirectUrl`: `https://faq.example.com/`
+
+Optional settings:
+
+- Enable automatic provisioning if phpMyFAQ should create local users on first successful Keycloak login
+- Enable automatic group assignment if phpMyFAQ should assign local groups from Keycloak roles
+- Enable group synchronization on login if phpMyFAQ should remove stale memberships for mapped Keycloak groups
+- Add a JSON role-to-group mapping if Keycloak role names should map to different phpMyFAQ group names
+- Set a logout redirect URL if users should return to a specific page after provider logout
+- Use a JSON mapping such as `{"admin":"Administrators","faq-editors":"Editors"}` if Keycloak role names and phpMyFAQ group names differ
+
+phpMyFAQ resolves users in this order:
+
+1. existing user linked by stored Keycloak subject (`sub`)
+2. preferred username from Keycloak
+3. existing user by email address
+4. automatic provisioning if enabled
+
+If automatic provisioning is disabled, users must already exist in phpMyFAQ before they can sign in with Keycloak.
+
+Group assignment behavior:
+
+- only roles listed in the JSON mapping are managed by phpMyFAQ
+- matched groups are added to the user on login
+- if group synchronization on login is enabled, stale memberships for mapped groups are removed during login
+- phpMyFAQ groups outside the configured Keycloak mapping are left untouched
+
+Troubleshooting:
+
+- If login works but logout does not return to phpMyFAQ, verify `Valid post logout redirect URI` in Keycloak and `keycloak.logoutRedirectUrl` in phpMyFAQ
+- If users are created but not added to groups, make sure permission level `medium` is enabled and the Keycloak roles actually match your JSON mapping keys
+- If an existing user cannot log in, check whether the stored Keycloak subject (`sub`) is already linked to a different account
+
+### 5.7.2 Using Microsoft Entra ID
 
 You can use our experimental Microsoft Entra ID support for user authentication as well.
 App Registrations in Azure are used to integrate applications with Microsoft Azure services,
diff --git a/docs/configuration.md b/docs/configuration.md
index 13342ae485..0daad4e43f 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -124,6 +124,18 @@ each setting controls. These values are set during installation and can be chang
 | `security.enableRegistration`               | Enable registration for visitors | `true` | Allows new users to register an account on the FAQ. |
 | `security.domainWhiteListForRegistrations`  | Allowed hosts for registrations | *(empty)* | A list of allowed email domains for new registrations. Leave empty to allow all domains. |
 | `security.enableSignInWithMicrosoft`        | Enable Sign in with Microsoft Entra ID | `false` | Enables authentication via Microsoft Entra ID (formerly Azure AD). |
+| `keycloak.enable`                           | Enable Keycloak sign-in | `false` | Enables OpenID Connect authentication via Keycloak for the frontend and admin login forms. |
+| `keycloak.baseUrl`                          | Keycloak base URL | *(empty)* | Base URL of the Keycloak server, for example `https://sso.example.com`. |
+| `keycloak.realm`                            | Realm | *(empty)* | Keycloak realm used for phpMyFAQ authentication. |
+| `keycloak.clientId`                         | Client ID | *(empty)* | OIDC client identifier configured in Keycloak. |
+| `keycloak.clientSecret`                     | Client secret | *(empty)* | Client secret configured for the Keycloak OIDC client. |
+| `keycloak.redirectUri`                      | Redirect URI | *(empty)* | Callback URL registered in the Keycloak client, usually `https://faq.example.com/auth/keycloak/callback`. |
+| `keycloak.scopes`                           | Scopes | `openid profile email` | Space-separated scopes requested during login. |
+| `keycloak.autoProvision`                    | Automatically create phpMyFAQ users on first Keycloak login | `false` | When enabled, phpMyFAQ creates a local user automatically if no matching account exists yet. |
+| `keycloak.groupAutoAssign`                  | Automatically assign phpMyFAQ groups from Keycloak roles | `false` | When enabled and permission level `medium` is active, phpMyFAQ assigns users to groups derived from Keycloak roles on login. |
+| `keycloak.groupSyncOnLogin`                 | Synchronize mapped phpMyFAQ groups on login | `false` | When enabled, phpMyFAQ also removes stale memberships for groups managed by the Keycloak role mapping during login. |
+| `keycloak.groupMapping`                     | Role to group mapping | *(empty)* | JSON object mapping Keycloak role names to phpMyFAQ group names, for example `{"admin":"Administrators","faq-editors":"Editors"}`. Only mapped roles are managed for assignment and synchronization. |
+| `keycloak.logoutRedirectUrl`                | Logout redirect URL | *(empty)* | URL users should be redirected to after logging out from Keycloak, for example `https://faq.example.com/`. |
 | `security.enableGoogleReCaptchaV2`          | Enable Invisible Google ReCAPTCHA v2 | `false` | Enables Google reCAPTCHA v2 to protect forms from spam and abuse. |
 | `security.googleReCaptchaV2SiteKey`         | Google ReCAPTCHA v2 site key | *(empty)* | The site key from your Google reCAPTCHA v2 registration. |
 | `security.googleReCaptchaV2SecretKey`       | Google ReCAPTCHA v2 secret key | *(empty)* | The secret key from your Google reCAPTCHA v2 registration. |
diff --git a/docs/index.md b/docs/index.md
index a89430c8eb..3f1140506d 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -20,7 +20,7 @@ phpMyFAQ also supports two-factor authentication (2FA) for enhanced security.
 An AI-assisted translation feature helps translate content into multiple languages using Google Cloud Translation, DeepL,
 Azure Translator, Amazon Translate, or LibreTranslate.
 A REST API is available for integration with other systems.
-It also supports OpenLDAP, Microsoft Active Directory, Microsoft Entra ID, and an MCP Server for AI agents.
+It also supports OpenLDAP, Microsoft Active Directory, Microsoft Entra ID, Keycloak, and an MCP Server for AI agents.
 The system is easy to install, thanks to its user-friendly installation script.
 
 phpMyFAQ is versatile
diff --git a/docs/keycloak.md b/docs/keycloak.md
new file mode 100644
index 0000000000..e3bec0783d
--- /dev/null
+++ b/docs/keycloak.md
@@ -0,0 +1,127 @@
+# Keycloak Integration
+
+phpMyFAQ supports Keycloak as an OpenID Connect provider for frontend and administration logins.
+The integration uses Authorization Code flow with PKCE.
+
+## 1. Prerequisites
+
+Before you configure phpMyFAQ, make sure you have:
+
+- a reachable Keycloak server, for example `https://sso.example.com`
+- a realm for phpMyFAQ users, for example `faq`
+- a confidential client for phpMyFAQ
+- the public URL of your phpMyFAQ installation, for example `https://faq.example.com/`
+
+## 2. Recommended Keycloak client settings
+
+Recommended client settings for a phpMyFAQ installation at `https://faq.example.com/`:
+
+- Client type: confidential
+- Standard flow enabled
+- Direct access grants are disabled unless required for another integration
+- Service accounts disabled
+- PKCE code challenge method: `S256`
+- Root URL: `https://faq.example.com/`
+- Home URL: `https://faq.example.com/`
+- Valid redirect URIs:
+  - `https://faq.example.com/auth/keycloak/callback`
+- Valid post logout redirect URIs:
+  - `https://faq.example.com/`
+- Web origins:
+  - `https://faq.example.com`
+
+## 3. phpMyFAQ configuration
+
+In phpMyFAQ, open:
+
+- `Configuration`
+- `Security`
+- `Keycloak`
+
+Typical values:
+
+- `keycloak.enable`: `true`
+- `keycloak.baseUrl`: `https://sso.example.com`
+- `keycloak.realm`: `faq`
+- `keycloak.clientId`: `phpmyfaq`
+- `keycloak.clientSecret`: `<client secret from Keycloak>`
+- `keycloak.redirectUri`: `https://faq.example.com/auth/keycloak/callback`
+- `keycloak.scopes`: `openid profile email`
+- `keycloak.logoutRedirectUrl`: `https://faq.example.com/`
+
+Optional user and group settings:
+
+- `keycloak.autoProvision`: `true`
+- `keycloak.groupAutoAssign`: `true`
+- `keycloak.groupSyncOnLogin`: `true`
+- `keycloak.groupMapping`: `{"admin":"Administrators","faq-editors":"Editors"}`
+
+## 4. User resolution and account linking
+
+phpMyFAQ resolves Keycloak users in this order:
+
+1. existing user linked by stored Keycloak subject (`sub`)
+2. preferred username from Keycloak
+3. existing user by email address
+4. automatic provisioning, if enabled
+
+The stored Keycloak subject is the durable link between a local phpMyFAQ account and the external identity.
+
+If automatic provisioning is disabled, users must already exist in phpMyFAQ before they can sign in.
+
+## 5. Group mapping behavior
+
+Group handling is intentionally conservative:
+
+- only roles listed in `keycloak.groupMapping` are managed by phpMyFAQ
+- mapped groups are added on login when `keycloak.groupAutoAssign` is enabled
+- stale memberships are removed only for mapped groups when `keycloak.groupSyncOnLogin` is enabled
+- phpMyFAQ groups outside the configured mapping are left untouched
+
+Example mapping:
+
+```json
+{
+  "admin": "Administrators",
+  "faq-editors": "Editors"
+}
+```
+
+This means:
+
+- Keycloak role `admin` maps to phpMyFAQ group `Administrators`
+- Keycloak role `faq-editors` maps to phpMyFAQ group `Editors`
+
+## 6. Logout behavior
+
+phpMyFAQ logs the user out locally and then redirects to Keycloak logout when:
+
+- Keycloak sign-in is enabled
+- the current user is authenticated through Keycloak
+
+For a reliable provider logout:
+
+- set `keycloak.logoutRedirectUrl` in phpMyFAQ
+- make sure the same URL is listed as a valid post-logout redirect URI in Keycloak
+
+## 7. Troubleshooting
+
+If login works but logout does not return to phpMyFAQ:
+
+- verify `keycloak.logoutRedirectUrl`
+- verify the matching valid post-logout redirect URI in Keycloak
+
+If users are created but not assigned to groups:
+
+- verify permission level `medium`
+- verify `keycloak.groupAutoAssign` is enabled
+- verify the Keycloak role names exactly match the JSON mapping keys
+
+If group synchronization removes the wrong memberships:
+
+- check `keycloak.groupMapping`
+- remember that only mapped groups are managed
+
+If an existing user cannot log in:
+
+- check whether the stored Keycloak subject (`sub`) is already linked to another local account
diff --git a/eslint.config.mjs b/eslint.config.mjs
index 76410a133b..0b869280bc 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -13,6 +13,7 @@ const ignoresConfig = globalIgnores([
   'phpmyfaq/assets/public/*',
   'phpmyfaq/content/upgrades/*',
   'phpmyfaq/src/libs/*',
+  'site/*',
   'volumes/*',
 ]);
 
diff --git a/mkdocs.yml b/mkdocs.yml
index 89576bee33..3f5bff899a 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -2,6 +2,9 @@ site_name: phpMyFAQ v4.2
 theme:
   name: readthedocs
   highlightjs: true
+not_in_nav: |
+  /s3-storage-checklist.md
+  /keys/**
 extra_css:
   - css/custom.css
 plugins:
@@ -15,9 +18,10 @@ nav:
   - 6. Use phpMyFAQ: 'usage.md'
   - 7. Manage phpMyFAQ: 'administration.md'
   - 8. Configuration reference: 'configuration.md'
-  - 9. AI-Assisted Translation feature: 'ai-translation.md'
-  - 10. Developer documentation: 'development.md'
-  - 11. Plugins: 'plugins.md'
-  - 12. MCP Server: 'mcp-server.md'
-  - 13. Release: 'release.md'
-  - 14. Thank you!: 'thank-you.md'
+  - 9. Keycloak Integration: 'keycloak.md'
+  - 10. AI-Assisted Translation feature: 'ai-translation.md'
+  - 11. Developer documentation: 'development.md'
+  - 12. Plugins: 'plugins.md'
+  - 13. MCP Server: 'mcp-server.md'
+  - 14. Release: 'release.md'
+  - 15. Thank you!: 'thank-you.md'
diff --git a/package.json b/package.json
index e896117cb6..6adb64dc95 100644
--- a/package.json
+++ b/package.json
@@ -38,6 +38,7 @@
     "release:artifacts": "./scripts/prepare-release-artifacts.sh",
     "release:sign": "./scripts/sign-release-artifacts.sh",
     "sbom": "./scripts/generate-sbom.sh",
+    "docs:build": "mkdocs build --strict",
     "eslint": "eslint .",
     "lint": "prettier --check .",
     "lint:fix": "prettier --write .",
diff --git a/phpmyfaq/admin/assets/src/configuration/configuration.test.ts b/phpmyfaq/admin/assets/src/configuration/configuration.test.ts
index 0e2be2814e..cf0d8088a2 100644
--- a/phpmyfaq/admin/assets/src/configuration/configuration.test.ts
+++ b/phpmyfaq/admin/assets/src/configuration/configuration.test.ts
@@ -294,12 +294,16 @@ describe('Configuration Functions', () => {
           <li class="nav-item" data-config-group="integrations" data-config-label="OAuth 2.0">
             <a href="#oauth2" data-bs-toggle="tab"></a>
           </li>
+          <li class="nav-item" data-config-group="integrations" data-config-label="Keycloak">
+            <a href="#keycloak" data-bs-toggle="tab"></a>
+          </li>
         </ul>
         </form>
         <div id="pmf-configuration-result"></div>
         <input id="pmf-language" value="en">
         <div id="main"></div>
         <div id="oauth2"></div>
+        <div id="keycloak"></div>
       `;
 
       (fetchConfiguration as Mock).mockResolvedValue('Configuration content');
@@ -323,6 +327,13 @@ describe('Configuration Functions', () => {
           <li class="nav-item" data-config-group="core" data-config-label="Main">
             <a class="nav-link" href="#main"></a>
           </li>
+          <li class="pmf-configuration-group" data-config-group="integrations"><span>Integrations</span></li>
+          <li class="nav-item" data-config-group="integrations" data-config-label="OAuth 2.0">
+            <a class="nav-link" href="#oauth2"></a>
+          </li>
+          <li class="nav-item" data-config-group="integrations" data-config-label="Keycloak">
+            <a class="nav-link" href="#keycloak"></a>
+          </li>
           <li class="pmf-configuration-group" data-config-group="maintenance"><span>Maintenance</span></li>
           <li class="nav-item" data-config-group="maintenance" data-config-label="Upgrade">
             <a class="nav-link active" href="#upgrade"></a>
@@ -347,6 +358,12 @@ describe('Configuration Functions', () => {
           <div class="pmf-config-item" data-config-key="oauth2.enable">Enable OAuth 2.0 authorization server</div>
           <div class="pmf-config-item" data-config-key="oauth2.privateKeyPath">Private key path</div>
         </div>
+        <div id="keycloak">
+          <div class="pmf-config-item" data-config-key="keycloak.enable">Enable Keycloak sign-in</div>
+          <div class="pmf-config-item" data-config-key="keycloak.clientId">Client ID</div>
+          <div class="pmf-config-item" data-config-key="keycloak.groupSyncOnLogin">Synchronize groups on login</div>
+          <div class="pmf-config-item" data-config-key="keycloak.groupMapping">Role to group mapping</div>
+        </div>
         <div id="upgrade">
           <div class="pmf-config-item" data-config-key="upgrade.releaseEnvironment">Release environment</div>
         </div>
@@ -427,6 +444,59 @@ describe('Configuration Functions', () => {
       vi.useRealTimers();
     });
 
+    it('should show Keycloak tab and items when filtering by "keycloak"', async () => {
+      vi.useFakeTimers();
+      buildFilterDOM();
+
+      (fetchConfiguration as Mock).mockResolvedValue('');
+
+      handleConfigurationTabFiltering();
+
+      await triggerFilterAndFlush('keycloak');
+
+      const keycloakTab = document.querySelector('li.nav-item[data-config-label="Keycloak"]');
+      const oauth2Tab = document.querySelector('li.nav-item[data-config-label="OAuth 2.0"]');
+      const mainTab = document.querySelector('li.nav-item[data-config-label="Main"]');
+      const upgradeTab = document.querySelector('li.nav-item[data-config-label="Upgrade"]');
+
+      expect(keycloakTab?.classList.contains('d-none')).toBe(false);
+      expect(oauth2Tab?.classList.contains('d-none')).toBe(true);
+      expect(mainTab?.classList.contains('d-none')).toBe(true);
+      expect(upgradeTab?.classList.contains('d-none')).toBe(true);
+
+      const keycloakEnable = document.querySelector('.pmf-config-item[data-config-key="keycloak.enable"]');
+      const keycloakClientId = document.querySelector('.pmf-config-item[data-config-key="keycloak.clientId"]');
+      const languageItem = document.querySelector('.pmf-config-item[data-config-key="main.language"]');
+
+      expect(keycloakEnable?.classList.contains('d-none')).toBe(false);
+      expect(keycloakClientId?.classList.contains('d-none')).toBe(false);
+      expect(languageItem?.classList.contains('d-none')).toBe(true);
+
+      vi.useRealTimers();
+    });
+
+    it('should show Keycloak tab when filtering by "client id"', async () => {
+      vi.useFakeTimers();
+      buildFilterDOM();
+
+      (fetchConfiguration as Mock).mockResolvedValue('');
+
+      handleConfigurationTabFiltering();
+
+      await triggerFilterAndFlush('client id');
+
+      const keycloakTab = document.querySelector('li.nav-item[data-config-label="Keycloak"]');
+      const mainTab = document.querySelector('li.nav-item[data-config-label="Main"]');
+
+      expect(keycloakTab?.classList.contains('d-none')).toBe(false);
+      expect(mainTab?.classList.contains('d-none')).toBe(true);
+
+      const clientIdItem = document.querySelector('.pmf-config-item[data-config-key="keycloak.clientId"]');
+      expect(clientIdItem?.classList.contains('d-none')).toBe(false);
+
+      vi.useRealTimers();
+    });
+
     it('should restore all items and tabs when filter is cleared', async () => {
       vi.useFakeTimers();
       buildFilterDOM();
diff --git a/phpmyfaq/admin/assets/src/configuration/configuration.ts b/phpmyfaq/admin/assets/src/configuration/configuration.ts
index 5d47de6e1f..8b4363a0fe 100644
--- a/phpmyfaq/admin/assets/src/configuration/configuration.ts
+++ b/phpmyfaq/admin/assets/src/configuration/configuration.ts
@@ -48,6 +48,7 @@ const TAB_TARGETS = [
   '#mail',
   '#api',
   '#oauth2',
+  '#keycloak',
   '#upgrade',
   '#translation',
   '#storage',
diff --git a/phpmyfaq/assets/templates/admin/configuration/main.twig b/phpmyfaq/assets/templates/admin/configuration/main.twig
index a2c2db914c..1f2f69bc94 100644
--- a/phpmyfaq/assets/templates/admin/configuration/main.twig
+++ b/phpmyfaq/assets/templates/admin/configuration/main.twig
@@ -125,6 +125,12 @@
                 {{ 'oauthControlCenter' | translate }}
               </a>
             </li>
+            <li role="presentation" class="nav-item" data-config-group="integrations" data-config-label="{{ 'keycloakControlCenter' | translate }}">
+              <a href="#keycloak" aria-controls="keycloak" role="tab" data-bs-toggle="tab" class="nav-link">
+                <i aria-hidden="true" class="bi bi-key"></i>
+                {{ 'keycloakControlCenter' | translate }}
+              </a>
+            </li>
             <li role="presentation" class="nav-item" data-config-group="integrations" data-config-label="LDAP">
               <a href="#ldap" aria-controls="ldap" role="tab" data-bs-toggle="tab" class="nav-link">
                 <i aria-hidden="true" class="bi bi-database"></i>
@@ -161,6 +167,7 @@
             <div role="tabpanel" class="tab-pane fade" id="mail"></div>
             <div role="tabpanel" class="tab-pane fade" id="api"></div>
             <div role="tabpanel" class="tab-pane fade" id="oauth2"></div>
+            <div role="tabpanel" class="tab-pane fade" id="keycloak"></div>
             <div role="tabpanel" class="tab-pane fade" id="upgrade"></div>
             <div role="tabpanel" class="tab-pane fade" id="translation"></div>
             <div role="tabpanel" class="tab-pane fade" id="storage"></div>
diff --git a/phpmyfaq/assets/templates/admin/configuration/tab-list.twig b/phpmyfaq/assets/templates/admin/configuration/tab-list.twig
index 7beafbb767..b37452db86 100644
--- a/phpmyfaq/assets/templates/admin/configuration/tab-list.twig
+++ b/phpmyfaq/assets/templates/admin/configuration/tab-list.twig
@@ -14,6 +14,7 @@
   'push': 'pushControlCenter',
   'api': 'API',
   'oauth2': 'oauthControlCenter',
+  'keycloak': 'keycloakControlCenter',
   'ldap': 'LDAP',
   'upgrade': 'upgradeControlCenter',
 } %}
diff --git a/phpmyfaq/assets/templates/admin/login.twig b/phpmyfaq/assets/templates/admin/login.twig
index e63055f419..a2bb0c7a4e 100644
--- a/phpmyfaq/assets/templates/admin/login.twig
+++ b/phpmyfaq/assets/templates/admin/login.twig
@@ -78,12 +78,18 @@
                         <i class="bi bi-windows" aria-hidden="true"></i>
                         {{ msgSignInWithMicrosoft }}
                       </a>
-                      {% if isWebAuthnEnabled %}
-                        <a class="w-100 py-2 mb-2 btn btn-outline-primary rounded-3" href="../services/webauthn">
-                          <i class="bi bi-key" aria-hidden="true"></i>
-                          {{ 'msgSignInWithPasskey' | translate }}
-                        </a>
-                      {% endif %}
+                    {% endif %}
+                    {% if hasSignInWithKeycloakActive %}
+                      <a class="w-100 py-2 mb-2 btn btn-outline-dark rounded-3" href="../auth/keycloak/authorize">
+                        <i class="bi bi-shield-lock" aria-hidden="true"></i>
+                        {{ msgSignInWithKeycloak }}
+                      </a>
+                    {% endif %}
+                    {% if isWebAuthnEnabled %}
+                      <a class="w-100 py-2 mb-2 btn btn-outline-primary rounded-3" href="../services/webauthn">
+                        <i class="bi bi-key" aria-hidden="true"></i>
+                        {{ 'msgSignInWithPasskey' | translate }}
+                      </a>
                     {% endif %}
                   </div>
                 </div>
diff --git a/phpmyfaq/assets/templates/default/login.twig b/phpmyfaq/assets/templates/default/login.twig
index 43b79909c9..918b1d5115 100644
--- a/phpmyfaq/assets/templates/default/login.twig
+++ b/phpmyfaq/assets/templates/default/login.twig
@@ -74,6 +74,12 @@
                     {{ 'msgSignInWithMicrosoft' | translate }}
                   </a>
                   {% endif %}
+                  {% if useSignInWithKeycloak %}
+                  <a class="w-100 py-2 mb-2 btn btn-warning rounded-3" href="./auth/keycloak/authorize">
+                    <i class="bi bi-shield-lock" aria-hidden="true"></i>
+                    {{ 'msgSignInWithKeycloak' | translate }}
+                  </a>
+                  {% endif %}
                   {%  if isWebAuthnEnabled %}
                   <a class="w-100 py-2 mb-2 btn btn-outline-primary rounded-3" href="./services/webauthn">
                     <i class="bi bi-key" aria-hidden="true"></i>
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php b/phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php
new file mode 100644
index 0000000000..b89bf86eaa
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/AuthKeycloak.php
@@ -0,0 +1,345 @@
+<?php
+
+/**
+ * Manages user authentication with Keycloak via OIDC.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth;
+
+use Closure;
+use phpMyFAQ\Auth;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Configuration;
+use phpMyFAQ\Core\Exception;
+use phpMyFAQ\Enums\AuthenticationSourceType;
+use phpMyFAQ\Permission\MediumPermission;
+use phpMyFAQ\User;
+use SensitiveParameter;
+
+class AuthKeycloak extends Auth implements AuthDriverInterface
+{
+    /** @param array<string, mixed> $claims */
+    public function __construct(
+        Configuration $configuration,
+        private readonly OidcProviderConfig $providerConfig,
+        private readonly array $claims,
+        private readonly string $resolvedLogin,
+        private readonly ?Closure $userFactory = null,
+        private readonly ?Closure $mediumPermissionFactory = null,
+    ) {
+        parent::__construct($configuration);
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function create(string $login, #[SensitiveParameter] string $password, string $domain = ''): bool
+    {
+        $user = $this->createUser();
+
+        try {
+            $result = $user->createUser($login, '', $domain);
+        } catch (\Exception $exception) {
+            $this->configuration
+                ->getLogger()
+                ->error(sprintf(
+                    'Keycloak user creation failed for "%s": %s',
+                    $this->redactIdentifier($login),
+                    $exception->getMessage(),
+                ));
+            return false;
+        }
+
+        if (!$result) {
+            return false;
+        }
+
+        try {
+            $saved = $user->setUserData([
+                'display_name' => $this->getDisplayName(),
+                'email' => $this->getEmail(),
+                'keycloak_sub' => $this->getSubject(),
+            ]);
+        } catch (\Exception $exception) {
+            $this->configuration
+                ->getLogger()
+                ->error(sprintf(
+                    'Keycloak user data persistence failed for "%s": %s',
+                    $this->redactIdentifier($login),
+                    $exception->getMessage(),
+                ));
+            return false;
+        }
+
+        if (!$saved) {
+            $this->configuration
+                ->getLogger()
+                ->error(sprintf(
+                    'Keycloak user data persistence returned false for "%s"',
+                    $this->redactIdentifier($login),
+                ));
+            return false;
+        }
+
+        $user->setStatus('active');
+        $user->setAuthSource(AuthenticationSourceType::AUTH_KEYCLOAK->value);
+
+        if ($this->shouldAssignGroups()) {
+            $this->assignUserToGroups($user->getUserId());
+        }
+
+        return true;
+    }
+
+    public function update(string $login, #[SensitiveParameter] string $password): bool
+    {
+        return true;
+    }
+
+    public function delete(string $login): bool
+    {
+        return true;
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function checkCredentials(
+        string $login,
+        #[SensitiveParameter]
+        string $password,
+        ?array $optionalData = null,
+    ): bool {
+        if ($login !== $this->resolvedLogin) {
+            return false;
+        }
+
+        $existingUser = $this->findUser($login);
+        if ($existingUser instanceof User) {
+            if ($this->shouldSynchronizeGroupsOnLogin()) {
+                $this->assignUserToGroups($existingUser->getUserId());
+            }
+
+            return true;
+        }
+
+        if (!$this->providerConfig->autoProvision) {
+            return false;
+        }
+
+        return $this->create($login, '');
+    }
+
+    public function isValidLogin(string $login, ?array $optionalData = null): int
+    {
+        return $login === $this->resolvedLogin ? 1 : 0;
+    }
+
+    private function getDisplayName(): string
+    {
+        $name = trim((string) ($this->claims['name'] ?? ''));
+        if ($name !== '') {
+            return $name;
+        }
+
+        $preferredUsername = trim((string) ($this->claims['preferred_username'] ?? ''));
+        if ($preferredUsername !== '') {
+            return $preferredUsername;
+        }
+
+        return $this->resolvedLogin;
+    }
+
+    private function getEmail(): string
+    {
+        return trim((string) ($this->claims['email'] ?? ''));
+    }
+
+    private function getSubject(): string
+    {
+        return trim((string) ($this->claims['sub'] ?? ''));
+    }
+
+    private function findUser(string $login): ?User
+    {
+        $user = $this->createUser();
+        return $user->getUserByLogin($login, false) ? $user : null;
+    }
+
+    private function shouldAssignGroups(): bool
+    {
+        return (
+            $this->toBool($this->configuration->get(item: 'keycloak.groupAutoAssign'))
+            && $this->configuration->get(item: 'security.permLevel') === 'medium'
+        );
+    }
+
+    private function assignUserToGroups(int $userId): void
+    {
+        if ($userId <= 0) {
+            return;
+        }
+
+        $mediumPermission = $this->createMediumPermission();
+        $groupMapping = $this->getGroupMapping();
+        if ($groupMapping === []) {
+            return;
+        }
+
+        $currentGroupIds = $mediumPermission->getUserGroups($userId);
+        $desiredGroupIds = [];
+        $roleNames = $this->extractRoleNames();
+
+        foreach ($roleNames as $roleName) {
+            if (!array_key_exists($roleName, $groupMapping)) {
+                continue;
+            }
+            $faqGroupName = $groupMapping[$roleName];
+            $groupId = $mediumPermission->findOrCreateGroupByName($faqGroupName);
+            if ($groupId <= 0) {
+                continue;
+            }
+
+            $desiredGroupIds[] = $groupId;
+            if (in_array($groupId, $currentGroupIds, true)) {
+                continue;
+            }
+
+            $mediumPermission->addToGroup($userId, $groupId);
+            $this->configuration
+                ->getLogger()
+                ->info(sprintf('Added Keycloak user #%d to group %s', $userId, $faqGroupName));
+        }
+
+        if (!$this->shouldSynchronizeGroupsOnLogin()) {
+            return;
+        }
+
+        foreach (array_values(array_unique($groupMapping)) as $groupName) {
+            $groupId = $mediumPermission->getGroupId($groupName);
+            if ($groupId <= 0) {
+                continue;
+            }
+
+            if (!in_array($groupId, $currentGroupIds, true) || in_array($groupId, $desiredGroupIds, true)) {
+                continue;
+            }
+
+            $mediumPermission->removeFromGroup($userId, $groupId);
+            $this->configuration
+                ->getLogger()
+                ->info(sprintf('Removed Keycloak user #%d from group %s', $userId, $groupName));
+        }
+    }
+
+    /**
+     * @return array<string>
+     */
+    private function extractRoleNames(): array
+    {
+        $roleNames = [];
+
+        $realmRoles = $this->claims['realm_access']['roles'] ?? [];
+        if (is_array($realmRoles)) {
+            foreach ($realmRoles as $realmRole) {
+                if (!is_string($realmRole) || $realmRole === '') {
+                    continue;
+                }
+
+                $roleNames[] = $realmRole;
+            }
+        }
+
+        $clientId = trim((string) $this->configuration->get(item: 'keycloak.clientId'));
+        if ($clientId !== '') {
+            $clientRoles = $this->claims['resource_access'][$clientId]['roles'] ?? [];
+            if (is_array($clientRoles)) {
+                foreach ($clientRoles as $clientRole) {
+                    if (!is_string($clientRole) || $clientRole === '') {
+                        continue;
+                    }
+
+                    $roleNames[] = $clientRole;
+                }
+            }
+        }
+
+        return array_values(array_unique($roleNames));
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function getGroupMapping(): array
+    {
+        $groupMapping = $this->configuration->get(item: 'keycloak.groupMapping');
+        if (!is_string($groupMapping) || trim($groupMapping) === '') {
+            return [];
+        }
+
+        $decoded = json_decode($groupMapping, associative: true);
+
+        return is_array($decoded) ? array_filter($decoded, is_string(...)) : [];
+    }
+
+    private function toBool(mixed $value): bool
+    {
+        return filter_var($value, FILTER_VALIDATE_BOOLEAN);
+    }
+
+    private function shouldSynchronizeGroupsOnLogin(): bool
+    {
+        return (
+            $this->toBool($this->configuration->get(item: 'keycloak.groupSyncOnLogin'))
+            && $this->configuration->get(item: 'security.permLevel') === 'medium'
+        );
+    }
+
+    private function redactIdentifier(string $identifier): string
+    {
+        if (str_contains($identifier, '@')) {
+            [$local, $domain] = explode('@', $identifier, 2);
+            return $local[0] . '***@' . $domain;
+        }
+
+        if (mb_strlen($identifier) <= 3) {
+            return str_repeat('*', mb_strlen($identifier));
+        }
+
+        return mb_substr($identifier, 0, 3) . '…';
+    }
+
+    /**
+     * @throws Exception
+     */
+    private function createUser(): User
+    {
+        if ($this->userFactory instanceof Closure) {
+            return ($this->userFactory)();
+        }
+
+        return new User($this->configuration);
+    }
+
+    private function createMediumPermission(): MediumPermission
+    {
+        if ($this->mediumPermissionFactory instanceof Closure) {
+            return ($this->mediumPermissionFactory)();
+        }
+
+        return new MediumPermission($this->configuration);
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactory.php b/phpmyfaq/src/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactory.php
new file mode 100644
index 0000000000..33e6b9c9dd
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactory.php
@@ -0,0 +1,86 @@
+<?php
+
+/**
+ * Keycloak OIDC provider config factory.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Keycloak;
+
+use InvalidArgumentException;
+use phpMyFAQ\Auth\Oidc\OidcClientConfig;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Configuration;
+
+final readonly class KeycloakProviderConfigFactory
+{
+    public function __construct(
+        private Configuration $configuration,
+    ) {
+    }
+
+    public function create(): OidcProviderConfig
+    {
+        $baseUrl = rtrim(trim((string) $this->configuration->get('keycloak.baseUrl')), characters: '/');
+        $realm = trim((string) $this->configuration->get('keycloak.realm'));
+        $redirectUri = trim((string) $this->configuration->get('keycloak.redirectUri'));
+        $scopes = preg_split('/\s+/', trim((string) $this->configuration->get('keycloak.scopes')));
+        if ($scopes === false) {
+            $scopes = [];
+        }
+
+        $enabled = $this->toBool($this->configuration->get('keycloak.enable'));
+
+        if ($enabled && ($baseUrl === '' || $realm === '')) {
+            $missing = array_filter([
+                $baseUrl === '' ? 'baseUrl' : null,
+                $realm === '' ? 'realm' : null,
+            ]);
+            throw new InvalidArgumentException(sprintf('Keycloak enabled but missing: %s', implode(' and ', $missing)));
+        }
+
+        if ($redirectUri === '') {
+            $redirectUri = rtrim($this->configuration->getDefaultUrl(), characters: '/') . '/auth/keycloak/callback';
+        }
+
+        return new OidcProviderConfig(
+            provider: 'keycloak',
+            enabled: $enabled,
+            discoveryUrl: $this->buildDiscoveryUrl($baseUrl, $realm),
+            client: new OidcClientConfig(
+                clientId: trim((string) $this->configuration->get('keycloak.clientId')),
+                clientSecret: (string) $this->configuration->get('keycloak.clientSecret'),
+                redirectUri: $redirectUri,
+                scopes: array_values(array_filter($scopes, static fn(string $scope): bool => $scope !== '')),
+            ),
+            autoProvision: $this->toBool($this->configuration->get('keycloak.autoProvision')),
+            logoutRedirectUrl: trim((string) $this->configuration->get('keycloak.logoutRedirectUrl')),
+        );
+    }
+
+    private function buildDiscoveryUrl(string $baseUrl, string $realm): string
+    {
+        if ($baseUrl === '' || $realm === '') {
+            return '';
+        }
+
+        return $baseUrl . '/realms/' . rawurlencode($realm) . '/.well-known/openid-configuration';
+    }
+
+    private function toBool(mixed $value): bool
+    {
+        return $value === true || $value === 1 || $value === '1' || $value === 'true';
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClient.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClient.php
new file mode 100644
index 0000000000..2af2f92f69
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClient.php
@@ -0,0 +1,158 @@
+<?php
+
+/**
+ * OIDC HTTP client helper.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use JsonException;
+use RuntimeException;
+use SensitiveParameter;
+use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+final readonly class OidcClient
+{
+    public function __construct(
+        private HttpClientInterface $httpClient,
+    ) {
+    }
+
+    public function buildAuthorizationUrl(
+        OidcProviderConfig $config,
+        OidcDiscoveryDocument $discoveryDocument,
+        string $state,
+        string $nonce,
+        string $codeChallenge,
+    ): string {
+        $query = http_build_query([
+            'response_type' => 'code',
+            'client_id' => $config->client->clientId,
+            'redirect_uri' => $config->client->redirectUri,
+            'scope' => $config->client->getScopesAsString(),
+            'state' => $state,
+            'nonce' => $nonce,
+            'code_challenge' => $codeChallenge,
+            'code_challenge_method' => 'S256',
+        ]);
+
+        return $discoveryDocument->authorizationEndpoint . '?' . $query;
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws ExceptionInterface
+     */
+    public function exchangeAuthorizationCode(
+        OidcProviderConfig $config,
+        OidcDiscoveryDocument $discoveryDocument,
+        string $code,
+        #[SensitiveParameter]
+        string $codeVerifier,
+    ): array {
+        $response = $this->httpClient->request('POST', $discoveryDocument->tokenEndpoint, [
+            'body' => [
+                'grant_type' => 'authorization_code',
+                'code' => $code,
+                'client_id' => $config->client->clientId,
+                'client_secret' => $config->client->clientSecret,
+                'redirect_uri' => $config->client->redirectUri,
+                'code_verifier' => $codeVerifier,
+            ],
+        ]);
+
+        $payload = $this->decodeJsonResponse($response->getContent(false), $response->getStatusCode(), 'token');
+        if (
+            !array_key_exists('access_token', $payload)
+            || !is_string($payload['access_token'])
+            || $payload['access_token'] === ''
+        ) {
+            throw new RuntimeException('OIDC token response did not contain a valid access_token');
+        }
+
+        return $payload;
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws ExceptionInterface
+     */
+    public function fetchUserInfo(
+        OidcDiscoveryDocument $discoveryDocument,
+        #[SensitiveParameter]
+        string $accessToken,
+    ): array {
+        $response = $this->httpClient->request('GET', $discoveryDocument->userInfoEndpoint, [
+            'headers' => [
+                'Authorization' => 'Bearer ' . $accessToken,
+            ],
+        ]);
+
+        return $this->decodeJsonResponse($response->getContent(false), $response->getStatusCode(), 'userinfo');
+    }
+
+    public function buildLogoutUrl(
+        OidcProviderConfig $config,
+        OidcDiscoveryDocument $discoveryDocument,
+        #[SensitiveParameter]
+        string $idTokenHint = '',
+    ): ?string {
+        if ($discoveryDocument->endSessionEndpoint === null || $discoveryDocument->endSessionEndpoint === '') {
+            return null;
+        }
+
+        $query = [
+            'client_id' => $config->client->clientId,
+        ];
+
+        if ($config->logoutRedirectUrl !== '') {
+            $query['post_logout_redirect_uri'] = $config->logoutRedirectUrl;
+        }
+
+        if ($idTokenHint !== '') {
+            $query['id_token_hint'] = $idTokenHint;
+        }
+
+        return $discoveryDocument->endSessionEndpoint . '?' . http_build_query($query);
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function decodeJsonResponse(string $content, int $statusCode, string $context): array
+    {
+        if ($statusCode >= 400) {
+            throw new RuntimeException(sprintf('OIDC %s request failed with status %d', $context, $statusCode));
+        }
+
+        try {
+            $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
+        } catch (JsonException $exception) {
+            throw new RuntimeException(sprintf('OIDC %s response is not valid JSON', $context), previous: $exception);
+        }
+
+        if (!is_array($payload)) {
+            throw new RuntimeException(sprintf(
+                'OIDC %s response is not a JSON object/array, got %s',
+                $context,
+                gettype($payload),
+            ));
+        }
+
+        return $payload;
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClientConfig.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClientConfig.php
new file mode 100644
index 0000000000..2d52759f10
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClientConfig.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * OIDC client configuration.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use SensitiveParameter;
+
+final readonly class OidcClientConfig
+{
+    /**
+     * @param list<string> $scopes
+     */
+    public function __construct(
+        public string $clientId,
+        #[SensitiveParameter]
+        public string $clientSecret,
+        public string $redirectUri,
+        public array $scopes,
+    ) {
+    }
+
+    public function getScopesAsString(): string
+    {
+        return implode(' ', $this->scopes);
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryDocument.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryDocument.php
new file mode 100644
index 0000000000..0c0fa98303
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryDocument.php
@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Typed OIDC discovery document.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use InvalidArgumentException;
+
+final readonly class OidcDiscoveryDocument
+{
+    public function __construct(
+        public string $issuer,
+        public string $authorizationEndpoint,
+        public string $tokenEndpoint,
+        public string $userInfoEndpoint,
+        public string $jwksUri,
+        public ?string $endSessionEndpoint = null,
+    ) {
+    }
+
+    /**
+     * @param array<string, mixed> $data
+     */
+    public static function fromArray(array $data): self
+    {
+        foreach ([
+            'issuer',
+            'authorization_endpoint',
+            'token_endpoint',
+            'userinfo_endpoint',
+            'jwks_uri',
+        ] as $requiredKey) {
+            if (
+                !array_key_exists($requiredKey, $data)
+                || !is_string($data[$requiredKey])
+                || trim($data[$requiredKey]) === ''
+            ) {
+                throw new InvalidArgumentException(sprintf(
+                    'Missing or invalid OIDC discovery field: %s',
+                    $requiredKey,
+                ));
+            }
+        }
+
+        $endSessionEndpoint = null;
+        if (array_key_exists('end_session_endpoint', $data) && is_string($data['end_session_endpoint'])) {
+            $endSessionEndpoint = trim($data['end_session_endpoint']);
+        }
+
+        return new self(
+            issuer: trim($data['issuer']),
+            authorizationEndpoint: trim($data['authorization_endpoint']),
+            tokenEndpoint: trim($data['token_endpoint']),
+            userInfoEndpoint: trim($data['userinfo_endpoint']),
+            jwksUri: trim($data['jwks_uri']),
+            endSessionEndpoint: $endSessionEndpoint !== '' ? $endSessionEndpoint : null,
+        );
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryService.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryService.php
new file mode 100644
index 0000000000..f6eab91e38
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryService.php
@@ -0,0 +1,65 @@
+<?php
+
+/**
+ * OIDC discovery document loader.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use JsonException;
+use RuntimeException;
+use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+final readonly class OidcDiscoveryService
+{
+    public function __construct(
+        private HttpClientInterface $httpClient,
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function discover(OidcProviderConfig $config): OidcDiscoveryDocument
+    {
+        $response = $this->httpClient->request('GET', $config->discoveryUrl);
+        $content = $response->getContent(false);
+
+        if ($response->getStatusCode() >= 400) {
+            throw new RuntimeException(sprintf(
+                'OIDC discovery request failed for %s with status %d',
+                $config->provider,
+                $response->getStatusCode(),
+            ));
+        }
+
+        try {
+            $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
+        } catch (JsonException $exception) {
+            throw new RuntimeException('OIDC discovery response is not valid JSON', previous: $exception);
+        }
+
+        if (!is_array($payload)) {
+            throw new RuntimeException(sprintf(
+                'OIDC discovery response is not a JSON object/array, got %s',
+                gettype($payload),
+            ));
+        }
+
+        return OidcDiscoveryDocument::fromArray($payload);
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcIdTokenValidator.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcIdTokenValidator.php
new file mode 100644
index 0000000000..1438504575
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcIdTokenValidator.php
@@ -0,0 +1,404 @@
+<?php
+
+/**
+ * OIDC ID token validator.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use Closure;
+use JsonException;
+use RuntimeException;
+use SensitiveParameter;
+use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+final readonly class OidcIdTokenValidator
+{
+    public function __construct(
+        private HttpClientInterface $httpClient,
+        private ?Closure $currentTimeProvider = null,
+    ) {
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws ExceptionInterface
+     */
+    public function validate(
+        #[SensitiveParameter]
+        string $idToken,
+        OidcDiscoveryDocument $discoveryDocument,
+        string $expectedAudience,
+        string $expectedNonce,
+    ): array {
+        if (trim($idToken) === '') {
+            throw new RuntimeException('OIDC id_token is missing');
+        }
+
+        [$encodedHeader, $encodedPayload, $encodedSignature] = $this->splitToken($idToken);
+        $header = $this->decodeSegment($encodedHeader, 'header');
+        $claims = $this->decodeSegment($encodedPayload, 'payload');
+
+        $this->validateClaims($claims, $discoveryDocument->issuer, $expectedAudience, $expectedNonce);
+        $this->validateSignature(
+            $encodedHeader . '.' . $encodedPayload,
+            $encodedSignature,
+            $header,
+            $discoveryDocument->jwksUri,
+        );
+
+        return $claims;
+    }
+
+    /**
+     * @return array{0: string, 1: string, 2: string}
+     */
+    private function splitToken(#[SensitiveParameter] string $idToken): array
+    {
+        $parts = explode('.', $idToken);
+        if (count($parts) !== 3 || $parts[0] === '' || $parts[1] === '' || $parts[2] === '') {
+            throw new RuntimeException('OIDC id_token is malformed');
+        }
+
+        return [$parts[0], $parts[1], $parts[2]];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function decodeSegment(string $segment, string $context): array
+    {
+        $decoded = $this->base64UrlDecode($segment);
+
+        try {
+            $payload = json_decode($decoded, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
+        } catch (JsonException $exception) {
+            throw new RuntimeException(sprintf('OIDC id_token %s is not valid JSON', $context), previous: $exception);
+        }
+
+        if (!is_array($payload)) {
+            throw new RuntimeException(sprintf('OIDC id_token %s is not valid', $context));
+        }
+
+        return $payload;
+    }
+
+    /**
+     * @param array<string, mixed> $claims
+     */
+    private function validateClaims(
+        array $claims,
+        string $expectedIssuer,
+        string $expectedAudience,
+        string $expectedNonce,
+    ): void {
+        if (!array_key_exists('iss', $claims) || !is_string($claims['iss']) || trim($claims['iss']) === '') {
+            throw new RuntimeException('OIDC id_token is missing the issuer claim');
+        }
+        if (trim($claims['iss']) !== $expectedIssuer) {
+            throw new RuntimeException('OIDC issuer mismatch in id_token');
+        }
+
+        if (!array_key_exists('sub', $claims) || !is_string($claims['sub']) || trim($claims['sub']) === '') {
+            throw new RuntimeException('OIDC id_token is missing the subject claim');
+        }
+
+        if (!array_key_exists('aud', $claims)) {
+            throw new RuntimeException('OIDC id_token is missing the audience claim');
+        }
+        $audience = $claims['aud'];
+        if (!$this->isValidAudience($audience)) {
+            throw new RuntimeException('OIDC id_token audience claim is invalid');
+        }
+        if (!$this->audienceMatches($audience, $expectedAudience)) {
+            throw new RuntimeException('OIDC audience mismatch in id_token');
+        }
+
+        $authorizedParty = trim((string) ($claims['azp'] ?? ''));
+        if ($authorizedParty !== '' && $authorizedParty !== $expectedAudience) {
+            throw new RuntimeException('OIDC authorized party mismatch in id_token');
+        }
+
+        if (is_array($audience) && count($audience) > 1 && $authorizedParty === '') {
+            throw new RuntimeException('OIDC authorized party missing in id_token');
+        }
+
+        if ($expectedNonce !== '') {
+            if (!array_key_exists('nonce', $claims) || !is_string($claims['nonce']) || $claims['nonce'] === '') {
+                throw new RuntimeException('OIDC id_token is missing the nonce claim');
+            }
+            if (!hash_equals($expectedNonce, $claims['nonce'])) {
+                throw new RuntimeException('OIDC nonce mismatch in id_token');
+            }
+        }
+
+        $now = $this->getCurrentTimestamp();
+
+        if (!array_key_exists('exp', $claims) || !is_numeric($claims['exp'])) {
+            throw new RuntimeException('OIDC id_token is missing the expiration claim');
+        }
+        if ($now >= (int) $claims['exp']) {
+            throw new RuntimeException('OIDC id_token has expired');
+        }
+
+        if (array_key_exists('nbf', $claims)) {
+            if (!is_numeric($claims['nbf'])) {
+                throw new RuntimeException('OIDC id_token has a non-numeric nbf claim');
+            }
+            if ($now < (int) $claims['nbf']) {
+                throw new RuntimeException('OIDC id_token is not valid yet');
+            }
+        }
+
+        if (!array_key_exists('iat', $claims) || !is_numeric($claims['iat'])) {
+            throw new RuntimeException('OIDC id_token is missing the issued-at claim');
+        }
+        $issuedAt = (int) $claims['iat'];
+        if ($issuedAt > ($now + 60)) {
+            throw new RuntimeException('OIDC id_token issued-at time is in the future');
+        }
+        if ($issuedAt < ($now - 86400)) {
+            throw new RuntimeException('OIDC id_token issued-at time is too far in the past');
+        }
+    }
+
+    private function isValidAudience(mixed $audience): bool
+    {
+        if (is_string($audience)) {
+            return trim($audience) !== '';
+        }
+
+        if (!is_array($audience) || $audience === []) {
+            return false;
+        }
+
+        foreach ($audience as $entry) {
+            if (!is_string($entry) || trim($entry) === '') {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @param array<string, mixed> $header
+     * @throws ExceptionInterface
+     */
+    private function validateSignature(
+        string $signedPayload,
+        string $encodedSignature,
+        array $header,
+        string $jwksUri,
+    ): void {
+        $algorithm = (string) ($header['alg'] ?? '');
+        $keyId = trim((string) ($header['kid'] ?? ''));
+
+        $opensslAlgorithm = match ($algorithm) {
+            'RS256' => OPENSSL_ALGO_SHA256,
+            'RS384' => OPENSSL_ALGO_SHA384,
+            'RS512' => OPENSSL_ALGO_SHA512,
+            default => throw new RuntimeException('Unsupported OIDC id_token signing algorithm'),
+        };
+
+        $jwks = $this->fetchJwks($jwksUri);
+        $key = $this->findKey($jwks, $keyId);
+        $publicKey = $this->createPemFromJwk($key);
+        $signature = $this->base64UrlDecode($encodedSignature);
+
+        $verificationResult = openssl_verify($signedPayload, $signature, $publicKey, $opensslAlgorithm);
+        if ($verificationResult !== 1) {
+            throw new RuntimeException('OIDC id_token signature validation failed');
+        }
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws ExceptionInterface
+     */
+    private function fetchJwks(string $jwksUri): array
+    {
+        $response = $this->httpClient->request('GET', $jwksUri);
+        $content = $response->getContent(false);
+
+        if ($response->getStatusCode() >= 400) {
+            throw new RuntimeException(sprintf('OIDC JWKS request failed with status %d', $response->getStatusCode()));
+        }
+
+        try {
+            $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
+        } catch (JsonException $exception) {
+            throw new RuntimeException('OIDC JWKS response is not valid JSON', previous: $exception);
+        }
+
+        if (!is_array($payload)) {
+            throw new RuntimeException('OIDC JWKS response is not valid');
+        }
+
+        return $payload;
+    }
+
+    /**
+     * @param array<string, mixed> $jwks
+     * @return array<string, mixed>
+     */
+    private function findKey(array $jwks, string $keyId): array
+    {
+        $keys = $jwks['keys'] ?? null;
+        if (!is_array($keys) || $keys === []) {
+            throw new RuntimeException('OIDC JWKS response does not contain any keys');
+        }
+
+        foreach ($keys as $key) {
+            if (!is_array($key)) {
+                continue;
+            }
+
+            $candidateKeyId = trim((string) ($key['kid'] ?? ''));
+            if ($keyId !== '' && $candidateKeyId !== $keyId) {
+                continue;
+            }
+
+            return $key;
+        }
+
+        if ($keyId === '' && is_array($keys[0])) {
+            return $keys[0];
+        }
+
+        throw new RuntimeException('OIDC JWKS key could not be resolved');
+    }
+
+    /**
+     * @param array<string, mixed> $key
+     */
+    private function createPemFromJwk(array $key): string
+    {
+        $keyType = (string) ($key['kty'] ?? '');
+        $modulus = (string) ($key['n'] ?? '');
+        $exponent = (string) ($key['e'] ?? '');
+
+        if ($keyType !== 'RSA' || $modulus === '' || $exponent === '') {
+            throw new RuntimeException('OIDC JWK is not a supported RSA key');
+        }
+
+        $rsaPublicKey = $this->asn1Sequence(
+            $this->asn1Integer($this->base64UrlDecode($modulus))
+                . $this->asn1Integer($this->base64UrlDecode($exponent)),
+        );
+
+        $subjectPublicKeyInfo = $this->asn1Sequence(
+            $this->asn1Sequence($this->asn1ObjectIdentifier("\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01") . $this->asn1Null())
+                . $this->asn1BitString($rsaPublicKey),
+        );
+
+        return (
+            "-----BEGIN PUBLIC KEY-----\n"
+            . chunk_split(base64_encode($subjectPublicKeyInfo), length: 64, separator: "\n")
+            . "-----END PUBLIC KEY-----\n"
+        );
+    }
+
+    private function asn1Sequence(string $value): string
+    {
+        return "\x30" . $this->asn1Length(strlen($value)) . $value;
+    }
+
+    private function asn1Integer(string $value): string
+    {
+        if ($value === '') {
+            $value = "\x00";
+        }
+
+        if (ord($value[0]) > 0x7f) {
+            $value = "\x00" . $value;
+        }
+
+        return "\x02" . $this->asn1Length(strlen($value)) . $value;
+    }
+
+    private function asn1ObjectIdentifier(string $value): string
+    {
+        return "\x06" . $this->asn1Length(strlen($value)) . $value;
+    }
+
+    private function asn1Null(): string
+    {
+        return "\x05\x00";
+    }
+
+    private function asn1BitString(string $value): string
+    {
+        return "\x03" . $this->asn1Length(strlen($value) + 1) . "\x00" . $value;
+    }
+
+    private function asn1Length(int $length): string
+    {
+        if ($length < 128) {
+            return chr($length);
+        }
+
+        $encoded = '';
+        while ($length > 0) {
+            $encoded = chr($length & 0xff) . $encoded;
+            $length >>= 8;
+        }
+
+        return chr(0x80 | strlen($encoded)) . $encoded;
+    }
+
+    private function base64UrlDecode(string $value): string
+    {
+        $padding = (4 - (strlen($value) % 4)) % 4;
+        $value .= str_repeat('=', $padding);
+        $decoded = base64_decode(strtr(string: $value, from: '-_', to: '+/'), strict: true);
+
+        if ($decoded === false) {
+            throw new RuntimeException('OIDC token could not be base64url decoded');
+        }
+
+        return $decoded;
+    }
+
+    private function audienceMatches(mixed $audience, string $expectedAudience): bool
+    {
+        if (is_string($audience)) {
+            return $audience === $expectedAudience;
+        }
+
+        if (!is_array($audience)) {
+            return false;
+        }
+
+        foreach ($audience as $entry) {
+            if (is_string($entry) && $entry === $expectedAudience) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function getCurrentTimestamp(): int
+    {
+        if ($this->currentTimeProvider instanceof Closure) {
+            return ($this->currentTimeProvider)();
+        }
+
+        return time();
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcPkceGenerator.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcPkceGenerator.php
new file mode 100644
index 0000000000..05bea3d612
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcPkceGenerator.php
@@ -0,0 +1,65 @@
+<?php
+
+/**
+ * OIDC PKCE helper.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use InvalidArgumentException;
+
+final class OidcPkceGenerator
+{
+    public function generateVerifier(int $length = 128): string
+    {
+        if ($length < 43 || $length > 128) {
+            throw new InvalidArgumentException(sprintf(
+                'PKCE verifier length must be between 43 and 128, got %d',
+                $length,
+            ));
+        }
+
+        $chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-._~';
+        $charLength = strlen($chars) - 1;
+        $verifier = '';
+
+        for ($index = 0; $index < $length; ++$index) {
+            $verifier .= $chars[random_int(0, $charLength)];
+        }
+
+        return $verifier;
+    }
+
+    public function generateChallenge(string $verifier): string
+    {
+        $len = strlen($verifier);
+        if ($len < 43 || $len > 128) {
+            throw new InvalidArgumentException(sprintf(
+                'PKCE verifier length must be between 43 and 128, got %d',
+                $len,
+            ));
+        }
+
+        if (preg_match('/[^0-9a-zA-Z\-._~]/', $verifier) === 1) {
+            throw new InvalidArgumentException('PKCE verifier contains invalid characters');
+        }
+
+        return rtrim(
+            strtr(base64_encode(hash(algo: 'sha256', data: $verifier, binary: true)), from: '+/', to: '-_'),
+            characters: '=',
+        );
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcProviderConfig.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcProviderConfig.php
new file mode 100644
index 0000000000..427a86269b
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcProviderConfig.php
@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * OIDC provider configuration.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+final readonly class OidcProviderConfig
+{
+    public function __construct(
+        public string $provider,
+        public bool $enabled,
+        public string $discoveryUrl,
+        public OidcClientConfig $client,
+        public bool $autoProvision,
+        public string $logoutRedirectUrl,
+    ) {
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcSession.php b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcSession.php
new file mode 100644
index 0000000000..4f3757dc16
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcSession.php
@@ -0,0 +1,77 @@
+<?php
+
+/**
+ * OIDC session helper.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use phpMyFAQ\Session\AbstractSession;
+use Symfony\Component\HttpFoundation\Session\Session;
+
+final class OidcSession extends AbstractSession
+{
+    final public const string OIDC_STATE = 'pmf-oidc-state';
+    final public const string OIDC_NONCE = 'pmf-oidc-nonce';
+    final public const string OIDC_PKCE_CODE = 'pmf-oidc-pkce-code';
+    final public const string OIDC_ID_ASSERTION = 'pmf-oidc-id-assertion';
+
+    public function __construct(Session $session)
+    {
+        parent::__construct($session);
+    }
+
+    public function setAuthorizationState(string $state, string $nonce, string $pkceVerifier): void
+    {
+        $this->set(self::OIDC_STATE, $state);
+        $this->set(self::OIDC_NONCE, $nonce);
+        $this->set(self::OIDC_PKCE_CODE, $pkceVerifier);
+    }
+
+    /**
+     * @return array{state: string, nonce: string, verifier: string}
+     */
+    public function getAuthorizationState(): array
+    {
+        return [
+            'state' => (string) $this->get(self::OIDC_STATE),
+            'nonce' => (string) $this->get(self::OIDC_NONCE),
+            'verifier' => (string) $this->get(self::OIDC_PKCE_CODE),
+        ];
+    }
+
+    public function clearAuthorizationState(): void
+    {
+        $this->set(self::OIDC_STATE, '');
+        $this->set(self::OIDC_NONCE, '');
+        $this->set(self::OIDC_PKCE_CODE, '');
+    }
+
+    public function setIdToken(string $idToken): void
+    {
+        $this->set(self::OIDC_ID_ASSERTION, $idToken);
+    }
+
+    public function getIdToken(): string
+    {
+        return (string) $this->get(self::OIDC_ID_ASSERTION);
+    }
+
+    public function clearIdToken(): void
+    {
+        $this->set(self::OIDC_ID_ASSERTION, '');
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Configuration/SecuritySettings.php b/phpmyfaq/src/phpMyFAQ/Configuration/SecuritySettings.php
index 1d2d147a19..f65eda2136 100644
--- a/phpmyfaq/src/phpMyFAQ/Configuration/SecuritySettings.php
+++ b/phpmyfaq/src/phpMyFAQ/Configuration/SecuritySettings.php
@@ -32,4 +32,9 @@ public function isSignInWithMicrosoftActive(): bool
     {
         return (bool) $this->coreConfiguration->get(item: 'security.enableSignInWithMicrosoft');
     }
+
+    public function isSignInWithKeycloakActive(): bool
+    {
+        return (bool) $this->coreConfiguration->get(item: 'keycloak.enable');
+    }
 }
diff --git a/phpmyfaq/src/phpMyFAQ/ConfigurationMethodsTrait.php b/phpmyfaq/src/phpMyFAQ/ConfigurationMethodsTrait.php
index 39b68f486b..94b25319a1 100644
--- a/phpmyfaq/src/phpMyFAQ/ConfigurationMethodsTrait.php
+++ b/phpmyfaq/src/phpMyFAQ/ConfigurationMethodsTrait.php
@@ -292,6 +292,11 @@ public function isSignInWithMicrosoftActive(): bool
         return $this->securitySettings->isSignInWithMicrosoftActive();
     }
 
+    public function isSignInWithKeycloakActive(): bool
+    {
+        return $this->securitySettings->isSignInWithKeycloakActive();
+    }
+
     /**
      * Sets the Elasticsearch client instance.
      */
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php b/phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php
index 48f432bcd3..6502a433dd 100644
--- a/phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php
+++ b/phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php
@@ -243,6 +243,9 @@ private function isPublicAuthenticationPath(string $pathInfo): bool
             '/auth/azure/authorize',
             '/auth/azure/callback',
             '/auth/azure/callback.php',
+            '/auth/keycloak/authorize',
+            '/auth/keycloak/callback',
+            '/auth/keycloak/logout',
             '/services/azure/callback',
             '/services/azure/callback.php',
             '/api/webauthn/prepare-login',
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php
index 9c87ce9e12..8bd8d3539d 100644
--- a/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php
+++ b/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php
@@ -322,6 +322,18 @@ private function logSecurityConfigChanges(array $changedKeys, array $oldConfig,
         $ssoKeys = [
             'security.ssoSupport',
             'security.ssoLogoutRedirect',
+            'keycloak.enable',
+            'keycloak.baseUrl',
+            'keycloak.realm',
+            'keycloak.clientId',
+            'keycloak.clientSecret',
+            'keycloak.redirectUri',
+            'keycloak.scopes',
+            'keycloak.autoProvision',
+            'keycloak.groupAutoAssign',
+            'keycloak.groupSyncOnLogin',
+            'keycloak.groupMapping',
+            'keycloak.logoutRedirectUrl',
         ];
 
         $ssoChanges = array_intersect($changedKeys, $ssoKeys);
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php
index 888535514e..e670b5f12a 100644
--- a/phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php
+++ b/phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php
@@ -129,7 +129,9 @@ public function login(Request $request): Response
             'hasRegistrationEnabled' => $this->configuration->get(item: 'security.enableRegistration'),
             'msgRegistration' => Translation::get(key: 'msgRegistration'),
             'hasSignInWithMicrosoftActive' => $this->configuration->isSignInWithMicrosoftActive(),
+            'hasSignInWithKeycloakActive' => $this->configuration->isSignInWithKeycloakActive(),
             'msgSignInWithMicrosoft' => Translation::get(key: 'msgSignInWithMicrosoft'),
+            'msgSignInWithKeycloak' => Translation::get(key: 'msgSignInWithKeycloak'),
             'secureUrl' => preg_replace(pattern: '/^http:/', replacement: 'https:', subject: $request->getUri()),
             'msgNotSecure' => Translation::get(key: 'msgSecureSwitch'),
             'isWebAuthnEnabled' => $this->configuration->get(item: 'security.enableWebAuthnSupport'),
@@ -165,6 +167,13 @@ public function logout(Request $request): RedirectResponse
             $redirectResponse->send();
         }
 
+        if (
+            $this->configuration->isSignInWithKeycloakActive()
+            && $this->currentUser->getUserAuthSource() === 'keycloak'
+        ) {
+            return new RedirectResponse($this->configuration->getDefaultUrl() . 'auth/keycloak/logout');
+        }
+
         return $redirectResponse->send();
     }
 
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AuthenticationController.php b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AuthenticationController.php
index 96eafe7c5f..360ef3100e 100644
--- a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AuthenticationController.php
+++ b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AuthenticationController.php
@@ -87,6 +87,7 @@ public function login(Request $request): Response
             'enableRegistration' => $this->configuration->get('security.enableRegistration'),
             'registerUser' => Translation::get(key: 'msgRegistration'),
             'useSignInWithMicrosoft' => $this->configuration->isSignInWithMicrosoftActive(),
+            'useSignInWithKeycloak' => $this->configuration->isSignInWithKeycloakActive(),
             'isWebAuthnEnabled' => $this->configuration->get('security.enableWebAuthnSupport'),
         ]);
     }
@@ -149,6 +150,13 @@ public function logout(Request $request): RedirectResponse
             return new RedirectResponse($this->configuration->getDefaultUrl() . 'auth/azure/logout');
         }
 
+        if (
+            $this->configuration->isSignInWithKeycloakActive()
+            && $this->currentUser->getUserAuthSource() === 'keycloak'
+        ) {
+            return new RedirectResponse($this->configuration->getDefaultUrl() . 'auth/keycloak/logout');
+        }
+
         return $redirectResponse;
     }
 
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AzureAuthenticationController.php b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AzureAuthenticationController.php
index 14b132e6e4..9bed7393d1 100644
--- a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AzureAuthenticationController.php
+++ b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AzureAuthenticationController.php
@@ -89,11 +89,18 @@ public function callback(Request $request): Response
 
         [$auth, $oAuth, $entraIdSession] = $this->buildAuthContext();
 
-        $code = Filter::filterVar($request->query->get('code'), FILTER_SANITIZE_SPECIAL_CHARS);
-        $error = Filter::filterVar($request->query->get('error_description'), FILTER_SANITIZE_SPECIAL_CHARS);
+        $code = Filter::filterVar($request->query->get('code'), FILTER_SANITIZE_SPECIAL_CHARS, '');
+        $errorParam = Filter::filterVar($request->query->get('error'), FILTER_SANITIZE_SPECIAL_CHARS, '');
+        $error = Filter::filterVar($request->query->get('error_description'), FILTER_SANITIZE_SPECIAL_CHARS, '');
 
-        if ($error !== '') {
-            return new Response($error);
+        if ($errorParam !== '' || $error !== '') {
+            $this->configuration
+                ->getLogger()
+                ->warning(sprintf(
+                    'Azure callback error: %s',
+                    trim($errorParam . ($error !== '' ? ': ' . $error : '')),
+                ));
+            return new RedirectResponse($this->configuration->getDefaultUrl());
         }
 
         $redirect = new RedirectResponse($this->configuration->getDefaultUrl());
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationController.php b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationController.php
new file mode 100644
index 0000000000..04e75cd983
--- /dev/null
+++ b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationController.php
@@ -0,0 +1,379 @@
+<?php
+
+/**
+ * Authentication Controller for Keycloak.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Controller\Frontend;
+
+use Closure;
+use Exception;
+use JsonException;
+use phpMyFAQ\Auth\AuthKeycloak;
+use phpMyFAQ\Auth\Keycloak\KeycloakProviderConfigFactory;
+use phpMyFAQ\Auth\Oidc\OidcClient;
+use phpMyFAQ\Auth\Oidc\OidcDiscoveryService;
+use phpMyFAQ\Auth\Oidc\OidcIdTokenValidator;
+use phpMyFAQ\Auth\Oidc\OidcPkceGenerator;
+use phpMyFAQ\Auth\Oidc\OidcSession;
+use phpMyFAQ\Enums\AuthenticationSourceType;
+use phpMyFAQ\Filter;
+use phpMyFAQ\User;
+use phpMyFAQ\User\CurrentUser;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+
+final class KeycloakAuthenticationController extends AbstractFrontController
+{
+    private ?Closure $currentUserFactory = null;
+    private ?Closure $userFactory = null;
+
+    public function __construct(
+        private readonly KeycloakProviderConfigFactory $providerConfigFactory,
+        private readonly OidcDiscoveryService $discoveryService,
+        private readonly OidcPkceGenerator $pkceGenerator,
+        private readonly OidcSession $oidcSession,
+        private readonly OidcClient $oidcClient,
+        private readonly OidcIdTokenValidator $idTokenValidator,
+    ) {
+        parent::__construct();
+    }
+
+    public function setCurrentUserFactory(?Closure $currentUserFactory): self
+    {
+        $this->currentUserFactory = $currentUserFactory;
+        return $this;
+    }
+
+    public function setUserFactory(?Closure $userFactory): self
+    {
+        $this->userFactory = $userFactory;
+        return $this;
+    }
+
+    #[Route(path: '/auth/keycloak/authorize', name: 'public.keycloak.authorize', methods: ['GET'])]
+    public function authorize(): RedirectResponse
+    {
+        try {
+            $providerConfig = $this->providerConfigFactory->create();
+            if (!$providerConfig->enabled || $providerConfig->discoveryUrl === '') {
+                return new RedirectResponse($this->configuration->getDefaultUrl());
+            }
+
+            $discoveryDocument = $this->discoveryService->discover($providerConfig);
+            $state = bin2hex(random_bytes(16));
+            $nonce = bin2hex(random_bytes(16));
+            $verifier = $this->pkceGenerator->generateVerifier();
+            $challenge = $this->pkceGenerator->generateChallenge($verifier);
+
+            $this->oidcSession->setAuthorizationState($state, $nonce, $verifier);
+
+            return new RedirectResponse($this->oidcClient->buildAuthorizationUrl(
+                $providerConfig,
+                $discoveryDocument,
+                $state,
+                $nonce,
+                $challenge,
+            ));
+        } catch (Exception $exception) {
+            $this->configuration
+                ->getLogger()
+                ->info(sprintf(
+                    'Keycloak login failed: %s at line %d at %s',
+                    $exception->getMessage(),
+                    $exception->getLine(),
+                    $exception->getFile(),
+                ));
+
+            return new RedirectResponse($this->configuration->getDefaultUrl());
+        }
+    }
+
+    #[Route(path: '/auth/keycloak/logout', name: 'public.keycloak.logout', methods: ['GET'])]
+    public function logout(): RedirectResponse
+    {
+        $user = $this->getCurrentUserService();
+
+        try {
+            $providerConfig = $this->providerConfigFactory->create();
+            $idToken = $this->resolveLogoutIdToken($user);
+
+            $user->deleteFromSession();
+            $this->oidcSession->clearIdToken();
+
+            if (!$providerConfig->enabled || $providerConfig->discoveryUrl === '') {
+                return new RedirectResponse($this->configuration->getDefaultUrl());
+            }
+
+            $discoveryDocument = $this->discoveryService->discover($providerConfig);
+            $logoutUrl = $this->oidcClient->buildLogoutUrl($providerConfig, $discoveryDocument, $idToken);
+
+            return new RedirectResponse($logoutUrl ?? $this->configuration->getDefaultUrl());
+        } catch (Exception) {
+            $user->deleteFromSession();
+            $this->oidcSession->clearIdToken();
+            return new RedirectResponse($this->configuration->getDefaultUrl());
+        }
+    }
+
+    /**
+     * @throws Exception
+     */
+    #[Route(path: '/auth/keycloak/callback', name: 'public.keycloak.callback', methods: ['GET'])]
+    public function callback(Request $request): Response
+    {
+        $providerConfig = $this->providerConfigFactory->create();
+        if (!$providerConfig->enabled || $providerConfig->discoveryUrl === '') {
+            return new RedirectResponse($this->configuration->getDefaultUrl());
+        }
+
+        $code = Filter::filterVar($request->query->get('code'), FILTER_SANITIZE_SPECIAL_CHARS, '');
+        $state = Filter::filterVar($request->query->get('state'), FILTER_SANITIZE_SPECIAL_CHARS, '');
+        $error = Filter::filterVar($request->query->get('error_description'), FILTER_SANITIZE_SPECIAL_CHARS, '');
+
+        if ($error !== '') {
+            $this->configuration->getLogger()->warning(sprintf('Keycloak callback error: %s', $error));
+            return new RedirectResponse($this->configuration->getDefaultUrl());
+        }
+
+        $redirect = new RedirectResponse($this->configuration->getDefaultUrl());
+        $authorizationState = $this->oidcSession->getAuthorizationState();
+
+        if (
+            $code === ''
+            || $state === ''
+            || $authorizationState['state'] === ''
+            || !hash_equals($authorizationState['state'], $state)
+        ) {
+            $this->oidcSession->clearAuthorizationState();
+            return $redirect;
+        }
+
+        try {
+            $discoveryDocument = $this->discoveryService->discover($providerConfig);
+            $token = $this->oidcClient->exchangeAuthorizationCode(
+                $providerConfig,
+                $discoveryDocument,
+                $code,
+                $authorizationState['verifier'],
+            );
+            $idTokenClaims = $this->idTokenValidator->validate(
+                (string) ($token['id_token'] ?? ''),
+                $discoveryDocument,
+                $providerConfig->client->clientId,
+                $authorizationState['nonce'],
+            );
+            $claims = $this->oidcClient->fetchUserInfo($discoveryDocument, (string) $token['access_token']);
+
+            $idTokenSub = (string) ($idTokenClaims['sub'] ?? '');
+            $userInfoSub = (string) ($claims['sub'] ?? '');
+            if ($idTokenSub === '' || $userInfoSub === '' || !hash_equals($idTokenSub, $userInfoSub)) {
+                $this->configuration
+                    ->getLogger()
+                    ->warning('Keycloak subject mismatch between ID token and UserInfo; aborting login.');
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+
+            $login = $this->resolveLocalLogin($claims);
+            if ($login === '') {
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+            $auth = new AuthKeycloak($this->configuration, $providerConfig, $claims, $login, $this->userFactory);
+
+            if (!$auth->isValidLogin($login)) {
+                $this->configuration
+                    ->getLogger()
+                    ->warning(sprintf('Keycloak login not valid for user: %s', $this->maskLogin($login)));
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+
+            if (!$auth->checkCredentials($login, '')) {
+                $this->configuration
+                    ->getLogger()
+                    ->warning(sprintf('Keycloak credentials not valid for user: %s', $this->maskLogin($login)));
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+
+            $user = $this->getCurrentUserService();
+            if (!$user->getUserByLogin($login)) {
+                $this->configuration
+                    ->getLogger()
+                    ->warning(sprintf('Keycloak user lookup failed for login: %s', $this->maskLogin($login)));
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+
+            if (!$this->synchronizeKeycloakSubject($user, $claims)) {
+                $this->configuration
+                    ->getLogger()
+                    ->warning(sprintf('Keycloak subject mismatch for user: %s', $this->maskLogin($login)));
+                $this->oidcSession->clearAuthorizationState();
+                return $redirect;
+            }
+
+            $user->setLoggedIn(true);
+            $user->setAuthSource(AuthenticationSourceType::AUTH_KEYCLOAK->value);
+            $user->updateSessionId(true);
+            $user->saveToSession();
+            $user->setTokenData([
+                'refresh_token' => (string) ($token['refresh_token'] ?? ''),
+                'access_token' => (string) $token['access_token'],
+                'code_verifier' => $authorizationState['verifier'],
+                'jwt' => [
+                    'id_token' => (string) ($token['id_token'] ?? ''),
+                    'userinfo' => $claims,
+                ],
+            ]);
+            $user->setSuccess(true);
+            $this->oidcSession->clearAuthorizationState();
+            $this->oidcSession->setIdToken((string) ($token['id_token'] ?? ''));
+
+            return $redirect;
+        } catch (Exception $exception) {
+            $this->configuration->getLogger()->error(sprintf('Keycloak login failed: %s', $exception->getMessage()), [
+                'exception' => $exception,
+            ]);
+            $this->oidcSession->clearAuthorizationState();
+
+            return new RedirectResponse($this->configuration->getDefaultUrl());
+        }
+    }
+
+    /** @param array<string, mixed> $claims */
+    private function resolveLocalLogin(array $claims): string
+    {
+        $preferredUsername = trim((string) ($claims['preferred_username'] ?? ''));
+        $email = trim((string) ($claims['email'] ?? ''));
+        $subject = trim((string) ($claims['sub'] ?? ''));
+
+        if ($subject !== '') {
+            $user = $this->createUser();
+            $userId = $user->getUserIdByKeycloakSub($subject);
+            if ($userId > 0 && $user->getUserById($userId)) {
+                return $user->getLogin();
+            }
+        }
+
+        if ($preferredUsername !== '' && $this->createUser()->getUserByLogin($preferredUsername, false)) {
+            return $preferredUsername;
+        }
+
+        if ($email !== '') {
+            $user = $this->createUser();
+            $userId = $user->getUserIdByEmail($email);
+            if ($userId > 0 && $user->getUserById($userId)) {
+                return $user->getLogin();
+            }
+        }
+
+        if ($preferredUsername !== '') {
+            return $preferredUsername;
+        }
+
+        if ($email !== '') {
+            return $email;
+        }
+
+        $this->configuration
+            ->getLogger()
+            ->warning(
+                'Keycloak login rejected: claims are missing both preferred_username and email; refusing to auto-provision the sub.',
+            );
+
+        return '';
+    }
+
+    private function maskLogin(string $login): string
+    {
+        $login = trim($login);
+        if ($login === '') {
+            return '<empty>';
+        }
+
+        $secret = (string) $this->configuration->get('security.salt');
+
+        return 'hmac:' . substr(hash_hmac('sha256', $login, $secret), 0, 12);
+    }
+
+    /** @param array<string, mixed> $claims */
+    private function synchronizeKeycloakSubject(CurrentUser $user, array $claims): bool
+    {
+        $subject = trim((string) ($claims['sub'] ?? ''));
+        if ($subject === '') {
+            return true;
+        }
+
+        $linkedSubject = trim((string) $user->getUserData('keycloak_sub'));
+        if ($linkedSubject !== '' && !hash_equals($linkedSubject, $subject)) {
+            return false;
+        }
+
+        if ($linkedSubject === '') {
+            return $user->setUserData(['keycloak_sub' => $subject]);
+        }
+
+        return true;
+    }
+
+    private function resolveLogoutIdToken(CurrentUser $user): string
+    {
+        $idToken = trim($this->oidcSession->getIdToken());
+        if ($idToken !== '') {
+            return $idToken;
+        }
+
+        $jwtPayload = trim((string) $user->getUserData('jwt'));
+        if ($jwtPayload === '') {
+            return '';
+        }
+
+        try {
+            $jwt = json_decode($jwtPayload, true, 512, JSON_THROW_ON_ERROR);
+        } catch (JsonException) {
+            return '';
+        }
+
+        if (!is_array($jwt)) {
+            return '';
+        }
+
+        return trim((string) ($jwt['id_token'] ?? ''));
+    }
+
+    private function getCurrentUserService(): CurrentUser
+    {
+        if ($this->currentUserFactory instanceof Closure) {
+            return ($this->currentUserFactory)();
+        }
+
+        return $this->currentUser;
+    }
+
+    private function createUser(): User
+    {
+        if ($this->userFactory instanceof Closure) {
+            return ($this->userFactory)();
+        }
+
+        return new User($this->configuration);
+    }
+}
diff --git a/phpmyfaq/src/phpMyFAQ/Enums/AuthenticationSourceType.php b/phpmyfaq/src/phpMyFAQ/Enums/AuthenticationSourceType.php
index 97fd29ac18..751ad3b881 100644
--- a/phpmyfaq/src/phpMyFAQ/Enums/AuthenticationSourceType.php
+++ b/phpmyfaq/src/phpMyFAQ/Enums/AuthenticationSourceType.php
@@ -23,6 +23,7 @@ enum AuthenticationSourceType: string
 {
     case AUTH_LOCAL = 'local';
     case AUTH_AZURE = 'azure';
+    case AUTH_KEYCLOAK = 'keycloak';
     case AUTH_LDAP = 'ldap';
     case AUTH_HTTP = 'http';
     case AUTH_SSO = 'sso';
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/Mysqli.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/Mysqli.php
index 83755df741..39441e780c 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/Mysqli.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/Mysqli.php
@@ -340,6 +340,7 @@ class Mysqli extends Database implements DriverInterface
             last_modified VARCHAR(14) NULL,
             display_name VARCHAR(128) NULL,
             email VARCHAR(128) NULL,
+            keycloak_sub VARCHAR(255) NULL,
             is_visible INT(1) NULL DEFAULT 0,
             twofactor_enabled INT(1) NULL DEFAULT 0,
             secret VARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoMysql.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoMysql.php
index 4cda8fcc24..348ec549fe 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoMysql.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoMysql.php
@@ -339,6 +339,7 @@ class PdoMysql extends Database implements DriverInterface
             last_modified VARCHAR(14) NULL,
             display_name VARCHAR(128) NULL,
             email VARCHAR(128) NULL,
+            keycloak_sub VARCHAR(255) NULL,
             is_visible INT(1) NULL DEFAULT 0,
             twofactor_enabled INT(1) NULL DEFAULT 0,
             secret VARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoPgsql.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoPgsql.php
index 2a814e0abb..728b919628 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoPgsql.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoPgsql.php
@@ -331,6 +331,7 @@ class PdoPgsql extends Database implements DriverInterface
             last_modified VARCHAR(14) NULL,
             display_name VARCHAR(128) NULL,
             email VARCHAR(128) NULL,
+            keycloak_sub VARCHAR(255) NULL,
             is_visible SMALLINT NULL DEFAULT 0,
             twofactor_enabled SMALLINT NULL DEFAULT 0,
             secret VARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlite.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlite.php
index d2a710ba1b..17d045edcc 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlite.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlite.php
@@ -329,6 +329,7 @@ class PdoSqlite extends Database implements DriverInterface
             last_modified VARCHAR(14) NULL,
             display_name VARCHAR(128) NULL,
             email VARCHAR(128) NULL,
+            keycloak_sub VARCHAR(255) NULL,
             is_visible INT(1) NULL DEFAULT 0,
             twofactor_enabled INT(1) NULL DEFAULT 0,
             secret VARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlsrv.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlsrv.php
index f0ba5d6096..2195662e39 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlsrv.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/PdoSqlsrv.php
@@ -329,6 +329,7 @@ class PdoSqlsrv extends Database implements DriverInterface
             last_modified NVARCHAR(14) NULL,
             display_name NVARCHAR(128) NULL,
             email NVARCHAR(128) NULL,
+            keycloak_sub NVARCHAR(255) NULL,
             is_visible INTEGER NULL DEFAULT 0,
             twofactor_enabled INTEGER NULL DEFAULT 0,
             secret NVARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/Pgsql.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/Pgsql.php
index d51bb88c19..c8061147cc 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/Pgsql.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/Pgsql.php
@@ -332,6 +332,7 @@ class Pgsql extends Database implements DriverInterface
             last_modified VARCHAR(14) NULL,
             display_name VARCHAR(128) NULL,
             email VARCHAR(128) NULL,
+            keycloak_sub VARCHAR(255) NULL,
             is_visible SMALLINT NULL DEFAULT 0,
             twofactor_enabled SMALLINT NULL DEFAULT 0,
             secret VARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlite3.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlite3.php
index b90e82d13e..bc2901e31b 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlite3.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlite3.php
@@ -330,6 +330,7 @@ class Sqlite3 extends Database implements DriverInterface
             last_modified VARCHAR(14) NULL,
             display_name VARCHAR(128) NULL,
             email VARCHAR(128) NULL,
+            keycloak_sub VARCHAR(255) NULL,
             is_visible INT(1) NULL DEFAULT 0,
             twofactor_enabled INT(1) NULL DEFAULT 0,
             secret VARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlsrv.php b/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlsrv.php
index 276662cb06..baf5705279 100644
--- a/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlsrv.php
+++ b/phpmyfaq/src/phpMyFAQ/Instance/Database/Sqlsrv.php
@@ -330,6 +330,7 @@ class Sqlsrv extends Database implements DriverInterface
             last_modified NVARCHAR(14) NULL,
             display_name NVARCHAR(128) NULL,
             email NVARCHAR(128) NULL,
+            keycloak_sub NVARCHAR(255) NULL,
             is_visible INTEGER NULL DEFAULT 0,
             twofactor_enabled INTEGER NULL DEFAULT 0,
             secret NVARCHAR(128) NULL DEFAULT NULL)',
diff --git a/phpmyfaq/src/phpMyFAQ/Permission/MediumPermission.php b/phpmyfaq/src/phpMyFAQ/Permission/MediumPermission.php
index 900f41b16c..74f4f70f96 100644
--- a/phpmyfaq/src/phpMyFAQ/Permission/MediumPermission.php
+++ b/phpmyfaq/src/phpMyFAQ/Permission/MediumPermission.php
@@ -426,6 +426,21 @@ public function removeFromAllGroups(int $userId): bool
         return $this->mediumRepository->removeFromAllGroups($userId);
     }
 
+    /**
+     * Removes a user from a single group.
+     *
+     * @param int $userId User ID
+     * @param int $groupId Group ID
+     */
+    public function removeFromGroup(int $userId, int $groupId): bool
+    {
+        if ($userId <= 0 || $groupId <= 0) {
+            return false;
+        }
+
+        return $this->mediumRepository->removeFromGroup($userId, $groupId);
+    }
+
     /**
      * Refuses all group rights.
      * Returns true for success, otherwise false.
diff --git a/phpmyfaq/src/phpMyFAQ/Permission/MediumPermissionRepository.php b/phpmyfaq/src/phpMyFAQ/Permission/MediumPermissionRepository.php
index 75e13cb905..7e288eb706 100644
--- a/phpmyfaq/src/phpMyFAQ/Permission/MediumPermissionRepository.php
+++ b/phpmyfaq/src/phpMyFAQ/Permission/MediumPermissionRepository.php
@@ -507,6 +507,28 @@ public function addToGroup(int $userId, int $groupId): bool
         return (bool) $this->configuration->getDb()->query($insert);
     }
 
+    /**
+     * Removes a user from a single group.
+     *
+     * @param int $userId User ID
+     * @param int $groupId Group ID
+     */
+    public function removeFromGroup(int $userId, int $groupId): bool
+    {
+        if ($userId <= 0 || $groupId <= 0) {
+            return false;
+        }
+
+        $delete = sprintf(
+            'DELETE FROM %sfaquser_group WHERE user_id = %d AND group_id = %d',
+            Database::getTablePrefix(),
+            $userId,
+            $groupId,
+        );
+
+        return (bool) $this->configuration->getDb()->query($delete);
+    }
+
     /**
      * Returns an associative array with the group-data of the group $groupId.
      *
diff --git a/phpmyfaq/src/phpMyFAQ/Setup/Installation/DatabaseSchema.php b/phpmyfaq/src/phpMyFAQ/Setup/Installation/DatabaseSchema.php
index 5dd1ba5302..83fad187f7 100644
--- a/phpmyfaq/src/phpMyFAQ/Setup/Installation/DatabaseSchema.php
+++ b/phpmyfaq/src/phpMyFAQ/Setup/Installation/DatabaseSchema.php
@@ -691,6 +691,7 @@ public function faquserdata(): TableBuilder
             ->varchar('last_modified', 14)
             ->varchar('display_name', 128)
             ->varchar('email', 128)
+            ->varchar('keycloak_sub', 255)
             ->smallInteger('is_visible', true, 0)
             ->smallInteger('twofactor_enabled', true, 0)
             ->varchar('secret', 128);
diff --git a/phpmyfaq/src/phpMyFAQ/Setup/Installation/DefaultDataSeeder.php b/phpmyfaq/src/phpMyFAQ/Setup/Installation/DefaultDataSeeder.php
index 87eab40244..ca7d461394 100644
--- a/phpmyfaq/src/phpMyFAQ/Setup/Installation/DefaultDataSeeder.php
+++ b/phpmyfaq/src/phpMyFAQ/Setup/Installation/DefaultDataSeeder.php
@@ -206,6 +206,18 @@ private static function buildDefaultConfig(): array
             'security.loginWithEmailAddress' => 'false',
             'security.enableWebAuthnSupport' => 'false',
             'security.enableAdminSessionTimeoutCounter' => 'true',
+            'keycloak.enable' => 'false',
+            'keycloak.baseUrl' => '',
+            'keycloak.realm' => '',
+            'keycloak.clientId' => '',
+            'keycloak.clientSecret' => '',
+            'keycloak.redirectUri' => '',
+            'keycloak.scopes' => 'openid profile email',
+            'keycloak.autoProvision' => 'false',
+            'keycloak.groupAutoAssign' => 'false',
+            'keycloak.groupSyncOnLogin' => 'false',
+            'keycloak.groupMapping' => '',
+            'keycloak.logoutRedirectUrl' => '',
             'spam.checkBannedWords' => 'true',
             'spam.enableCaptchaCode' => null,
             'spam.enableSafeEmail' => 'true',
diff --git a/phpmyfaq/src/phpMyFAQ/Setup/Migration/AbstractMigration.php b/phpmyfaq/src/phpMyFAQ/Setup/Migration/AbstractMigration.php
index 5994d9d497..12f6402c9e 100644
--- a/phpmyfaq/src/phpMyFAQ/Setup/Migration/AbstractMigration.php
+++ b/phpmyfaq/src/phpMyFAQ/Setup/Migration/AbstractMigration.php
@@ -169,8 +169,10 @@ protected function createIndex(string $table, string $indexName, string|array $c
 
         if ($this->isSqlServer()) {
             return sprintf(
-                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s') " . 'CREATE INDEX %s ON %s (%s)',
+                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s' AND object_id = OBJECT_ID('%s')) "
+                . 'CREATE INDEX %s ON %s (%s)',
                 $indexName,
+                $tableName,
                 $indexName,
                 $tableName,
                 $columnList,
@@ -187,6 +189,45 @@ protected function createIndex(string $table, string $indexName, string|array $c
         return sprintf('CREATE INDEX IF NOT EXISTS %s ON %s (%s)', $indexName, $tableName, $columnList);
     }
 
+    /**
+     * Helper to create a UNIQUE index.
+     *
+     * On SQL Server, NULLs are treated as equal in unique indexes, so a filtered
+     * index is emitted to allow multiple NULL values. MySQL/MariaDB, PostgreSQL
+     * and SQLite already treat NULLs as distinct in unique indexes.
+     *
+     * @param string|string[] $columns
+     */
+    protected function createUniqueIndex(string $table, string $indexName, string|array $columns): string
+    {
+        $tableName = $this->table($table);
+        $columns = (array) $columns;
+        $columnList = implode(', ', $columns);
+
+        if ($this->isSqlServer()) {
+            $whereClause = implode(' AND ', array_map(static fn(string $col): string => sprintf(
+                '%s IS NOT NULL',
+                $col,
+            ), $columns));
+            return sprintf(
+                "IF NOT EXISTS (SELECT * FROM sys.indexes WHERE name = '%s' AND object_id = OBJECT_ID('%s')) "
+                . 'CREATE UNIQUE INDEX %s ON %s (%s) WHERE %s',
+                $indexName,
+                $tableName,
+                $indexName,
+                $tableName,
+                $columnList,
+                $whereClause,
+            );
+        }
+
+        if ($this->isMySql()) {
+            return sprintf('CREATE UNIQUE INDEX %s ON %s (%s)', $indexName, $tableName, $columnList);
+        }
+
+        return sprintf('CREATE UNIQUE INDEX IF NOT EXISTS %s ON %s (%s)', $indexName, $tableName, $columnList);
+    }
+
     /**
      * Helper to check if an index exists.
      * Returns a SQL query that checks for index existence.
diff --git a/phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php b/phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php
index bf554ff180..1e529c7965 100644
--- a/phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php
+++ b/phpmyfaq/src/phpMyFAQ/Setup/Migration/Versions/Migration420Alpha.php
@@ -37,7 +37,7 @@ public function getDependencies(): array
 
     public function getDescription(): string
     {
-        return 'Admin log hash columns, custom pages, chat messages, translation config, API rate limiting, queue jobs, mail provider config, API keys, OAuth2 tables';
+        return 'Admin log hash columns, custom pages, chat messages, translation config, API rate limiting, queue jobs, mail provider config, API keys, OAuth2 tables, Keycloak subject storage';
     }
 
     public function up(OperationRecorder $recorder): void
@@ -218,6 +218,19 @@ public function up(OperationRecorder $recorder): void
         $recorder->addConfig('api.onlyPublicQuestions', 'true');
         $recorder->addConfig('api.ignoreOrphanedFaqs', 'true');
         $recorder->addConfig('api.rateLimit.requests', '100');
+
+        // Add durable Keycloak subject storage to user data
+        $columnType = $this->isSqlServer() ? 'NVARCHAR(255) NULL' : 'VARCHAR(255) NULL';
+
+        $recorder->addSql(
+            $this->addColumn('faquserdata', 'keycloak_sub', $columnType),
+            'Add keycloak_sub column to faquserdata',
+        );
+
+        $recorder->addSql(
+            $this->createUniqueIndex('faquserdata', 'idx_faquserdata_keycloak_sub', 'keycloak_sub'),
+            'Create unique keycloak_sub index on faquserdata',
+        );
         $recorder->addConfig('api.rateLimit.interval', '3600');
         $recorder->addConfig('queue.transport', 'database');
         $recorder->addConfig('session.handler', 'files');
@@ -801,6 +814,20 @@ public function up(OperationRecorder $recorder): void
         $recorder->addConfig('oauth2.refreshTokenTTL', 'P1M');
         $recorder->addConfig('oauth2.authCodeTTL', 'PT10M');
 
+        // Keycloak configuration entries
+        $recorder->addConfig('keycloak.enable', 'false');
+        $recorder->addConfig('keycloak.baseUrl', '');
+        $recorder->addConfig('keycloak.realm', '');
+        $recorder->addConfig('keycloak.clientId', '');
+        $recorder->addConfig('keycloak.clientSecret', '');
+        $recorder->addConfig('keycloak.redirectUri', '');
+        $recorder->addConfig('keycloak.scopes', 'openid profile email');
+        $recorder->addConfig('keycloak.autoProvision', 'false');
+        $recorder->addConfig('keycloak.groupAutoAssign', 'false');
+        $recorder->addConfig('keycloak.groupSyncOnLogin', 'false');
+        $recorder->addConfig('keycloak.groupMapping', '');
+        $recorder->addConfig('keycloak.logoutRedirectUrl', '');
+
         // Recent news widget
         $recorder->addConfig('main.enableRecentNews', 'true');
 
diff --git a/phpmyfaq/src/phpMyFAQ/User.php b/phpmyfaq/src/phpMyFAQ/User.php
index f3f569d2f6..982a3604c8 100644
--- a/phpmyfaq/src/phpMyFAQ/User.php
+++ b/phpmyfaq/src/phpMyFAQ/User.php
@@ -810,6 +810,24 @@ public function getUserIdByEmail(string $email): int
         return $userData['user_id'];
     }
 
+    /**
+     * Returns the user ID from the given Keycloak subject.
+     */
+    public function getUserIdByKeycloakSub(string $keycloakSub): int
+    {
+        if (!$this->userdata instanceof UserData) {
+            $this->userdata = new UserData($this->configuration);
+        }
+
+        $userData = $this->userdata->fetchAll('keycloak_sub', $keycloakSub);
+
+        if (!is_array($userData) || !isset($userData['user_id'])) {
+            return 0;
+        }
+
+        return (int) $userData['user_id'];
+    }
+
     /**
      * Returns true or false for the visibility for the given email
      * address, if the user is not a registered user, the method
diff --git a/phpmyfaq/src/phpMyFAQ/User/UserData.php b/phpmyfaq/src/phpMyFAQ/User/UserData.php
index 2373daf2de..3c0b7560fd 100644
--- a/phpmyfaq/src/phpMyFAQ/User/UserData.php
+++ b/phpmyfaq/src/phpMyFAQ/User/UserData.php
@@ -73,7 +73,24 @@ public function get(mixed $field): mixed
             $this->userId,
         );
 
-        $res = $this->configuration->getDb()->query($select);
+        try {
+            $res = $this->configuration->getDb()->query($select);
+        } catch (\Throwable) {
+            if ($singleReturn && $field === 'keycloak_sub') {
+                return '';
+            }
+
+            return false;
+        }
+
+        if ($res === false) {
+            if ($singleReturn && $field === 'keycloak_sub') {
+                return '';
+            }
+
+            return false;
+        }
+
         if ($this->configuration->getDb()->numRows($res) !== 1) {
             return false;
         }
@@ -81,7 +98,7 @@ public function get(mixed $field): mixed
         $array = $this->configuration->getDb()->fetchArray($res);
 
         // Decode HTML entities in display_name for backward compatibility
-        if (array_key_exists('display_name', $array)) {
+        if (array_key_exists('display_name', $array) && is_string($array['display_name'])) {
             $array['display_name'] = html_entity_decode(
                 $array['display_name'],
                 ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE,
@@ -89,7 +106,14 @@ public function get(mixed $field): mixed
             );
         }
 
-        return $singleReturn && $field !== '*' ? $array[$field] : $array;
+        if ($singleReturn && $field !== '*') {
+            return match ($field) {
+                'display_name', 'email', 'keycloak_sub', 'secret' => (string) ($array[$field] ?? ''),
+                default => $array[$field] ?? null,
+            };
+        }
+
+        return $array;
     }
 
     /**
@@ -123,19 +147,39 @@ public function fetchAll(string $key, string $value): array
     {
         $select = sprintf(
             "SELECT 
-                user_id, last_modified, display_name, email, is_visible, twofactor_enabled, secret 
+                user_id, last_modified, display_name, email, keycloak_sub, is_visible, twofactor_enabled, secret 
             FROM %sfaquserdata WHERE %s = '%s'",
             Database::getTablePrefix(),
             $key,
             $this->configuration->getDb()->escape($value),
         );
 
-        $res = $this->configuration->getDb()->query($select);
+        try {
+            $res = $this->configuration->getDb()->query($select);
+        } catch (\Throwable) {
+            $res = false;
+        }
+
+        if ($res === false) {
+            $select = sprintf(
+                "SELECT 
+                    user_id, last_modified, display_name, email, is_visible, twofactor_enabled, secret 
+                FROM %sfaquserdata WHERE %s = '%s'",
+                Database::getTablePrefix(),
+                $key,
+                $this->configuration->getDb()->escape($value),
+            );
+            $res = $this->configuration->getDb()->query($select);
+        }
+
         if ($this->configuration->getDb()->numRows($res) !== 1) {
             return ['user_id' => -1];
         }
 
-        return $this->data = $this->configuration->getDb()->fetchArray($res);
+        $this->data = $this->configuration->getDb()->fetchArray($res);
+        $this->data['keycloak_sub'] ??= '';
+
+        return $this->data;
     }
 
     /**
@@ -188,6 +232,7 @@ public function load(int $userId): bool
                 last_modified, 
                 display_name, 
                 email,
+                keycloak_sub,
                 is_visible,
                 twofactor_enabled, 
                 secret
@@ -196,12 +241,34 @@ public function load(int $userId): bool
             WHERE
                 user_id = %d', Database::getTablePrefix(), $this->userId);
 
-        $res = $this->configuration->getDb()->query($select);
+        try {
+            $res = $this->configuration->getDb()->query($select);
+        } catch (\Throwable) {
+            $res = false;
+        }
+
+        if ($res === false) {
+            $select = sprintf('
+            SELECT
+                last_modified, 
+                display_name, 
+                email,
+                is_visible,
+                twofactor_enabled, 
+                secret
+            FROM
+                %sfaquserdata
+            WHERE
+                user_id = %d', Database::getTablePrefix(), $this->userId);
+            $res = $this->configuration->getDb()->query($select);
+        }
+
         if ($this->configuration->getDb()->numRows($res) !== 1) {
             return false;
         }
 
         $this->data = $this->configuration->getDb()->fetchArray($res);
+        $this->data['keycloak_sub'] ??= '';
 
         return true;
     }
@@ -212,6 +279,11 @@ public function load(int $userId): bool
      */
     public function save(): bool
     {
+        $keycloakSubRaw = $this->data['keycloak_sub'] ?? null;
+        $keycloakSubValue = is_string($keycloakSubRaw) && trim($keycloakSubRaw) !== ''
+            ? "'" . $this->configuration->getDb()->escape($keycloakSubRaw) . "'"
+            : 'NULL';
+
         $update = sprintf(
             "
             UPDATE
@@ -220,6 +292,7 @@ public function save(): bool
                 last_modified = '%s',
                 display_name = '%s',
                 email = '%s',
+                keycloak_sub = %s,
                 is_visible = %d,
                 twofactor_enabled = %d,
                 secret = '%s'
@@ -229,13 +302,50 @@ public function save(): bool
             date(format: 'YmdHis', timestamp: Request::createFromGlobals()->server->get('REQUEST_TIME')),
             $this->configuration->getDb()->escape((string) ($this->data['display_name'] ?? '')),
             $this->configuration->getDb()->escape((string) ($this->data['email'] ?? '')),
+            $keycloakSubValue,
             $this->data['is_visible'] ?? 0,
             $this->data['twofactor_enabled'] ?? 0,
             $this->data['secret'] ?? '',
             $this->userId,
         );
 
-        $res = $this->configuration->getDb()->query($update);
+        try {
+            $res = $this->configuration->getDb()->query($update);
+        } catch (\Throwable) {
+            $res = false;
+        }
+
+        if ($res === false) {
+            if (array_key_exists('keycloak_sub', $this->data)) {
+                return false;
+            }
+
+            $update = sprintf(
+                "
+            UPDATE
+                %sfaquserdata
+            SET
+                last_modified = '%s',
+                display_name = '%s',
+                email = '%s',
+                is_visible = %d,
+                twofactor_enabled = %d,
+                secret = '%s'
+            WHERE
+                user_id = %d",
+                Database::getTablePrefix(),
+                date(format: 'YmdHis', timestamp: Request::createFromGlobals()->server->get('REQUEST_TIME')),
+                $this->configuration->getDb()->escape((string) ($this->data['display_name'] ?? '')),
+                $this->configuration->getDb()->escape((string) ($this->data['email'] ?? '')),
+                $this->data['is_visible'] ?? 0,
+                $this->data['twofactor_enabled'] ?? 0,
+                $this->data['secret'] ?? '',
+                $this->userId,
+            );
+
+            $res = $this->configuration->getDb()->query($update);
+        }
+
         return (bool) $res;
     }
 
diff --git a/phpmyfaq/src/services.php b/phpmyfaq/src/services.php
index fe6bbf7165..d6dfd100dd 100644
--- a/phpmyfaq/src/services.php
+++ b/phpmyfaq/src/services.php
@@ -33,6 +33,13 @@
 use phpMyFAQ\Auth as LegacyAuth;
 use phpMyFAQ\Auth\ApiKeyAuthenticator;
 use phpMyFAQ\Auth\AuthChain;
+use phpMyFAQ\Auth\Keycloak\KeycloakProviderConfigFactory;
+use phpMyFAQ\Auth\Oidc\OidcClient;
+use phpMyFAQ\Auth\Oidc\OidcDiscoveryService;
+use phpMyFAQ\Auth\Oidc\OidcIdTokenValidator;
+use phpMyFAQ\Auth\Oidc\OidcPkceGenerator;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Auth\Oidc\OidcSession;
 use phpMyFAQ\Auth\OAuth2\Repository\AccessTokenRepository;
 use phpMyFAQ\Auth\OAuth2\Repository\AuthCodeRepository;
 use phpMyFAQ\Auth\OAuth2\Repository\ClientRepository;
@@ -113,6 +120,7 @@
 use phpMyFAQ\Controller\Frontend\CustomPageController as FrontendCustomPageController;
 use phpMyFAQ\Controller\Frontend\FaqController as FrontendFaqController;
 use phpMyFAQ\Controller\Frontend\GlossaryController as FrontendGlossaryController;
+use phpMyFAQ\Controller\Frontend\KeycloakAuthenticationController as FrontendKeycloakAuthenticationController;
 use phpMyFAQ\Controller\Frontend\NewsController as FrontendNewsController;
 use phpMyFAQ\Controller\Frontend\OAuthDiscoveryController as FrontendOAuthDiscoveryController;
 use phpMyFAQ\Controller\Frontend\OverviewController as FrontendOverviewController;
@@ -299,6 +307,26 @@
     $services->set('phpmyfaq.auth.api-key-authenticator', ApiKeyAuthenticator::class)->args([
         service('phpmyfaq.configuration'),
     ]);
+    $services->set('phpmyfaq.auth.oidc.client', OidcClient::class)->args([
+        service('phpmyfaq.http-client'),
+    ]);
+    $services->set('phpmyfaq.auth.oidc.discovery-service', OidcDiscoveryService::class)->args([
+        service('phpmyfaq.http-client'),
+    ]);
+    $services->set('phpmyfaq.auth.oidc.id-token-validator', OidcIdTokenValidator::class)->args([
+        service('phpmyfaq.http-client'),
+    ]);
+    $services->set('phpmyfaq.auth.oidc.pkce-generator', OidcPkceGenerator::class);
+    $services->set('phpmyfaq.auth.oidc.session', OidcSession::class)->args([
+        service('session'),
+    ]);
+    $services->set('phpmyfaq.auth.keycloak.provider-config-factory', KeycloakProviderConfigFactory::class)->args([
+        service('phpmyfaq.configuration'),
+    ]);
+    $services->set('phpmyfaq.auth.keycloak.provider-config', OidcProviderConfig::class)->factory([
+        service('phpmyfaq.auth.keycloak.provider-config-factory'),
+        'create',
+    ]);
     $services->set('phpmyfaq.auth.chain', AuthChain::class)->args([
         service('phpmyfaq.user.current_user'),
         service('phpmyfaq.auth.api-key-authenticator'),
@@ -921,6 +949,14 @@
         service('phpmyfaq.user.two-factor'),
     ]);
     $services->set(FrontendAzureAuthenticationController::class, FrontendAzureAuthenticationController::class);
+    $services->set(FrontendKeycloakAuthenticationController::class, FrontendKeycloakAuthenticationController::class)->args([
+        service('phpmyfaq.auth.keycloak.provider-config-factory'),
+        service('phpmyfaq.auth.oidc.discovery-service'),
+        service('phpmyfaq.auth.oidc.pkce-generator'),
+        service('phpmyfaq.auth.oidc.session'),
+        service('phpmyfaq.auth.oidc.client'),
+        service('phpmyfaq.auth.oidc.id-token-validator'),
+    ]);
     $services->set(FrontendCategoryController::class, FrontendCategoryController::class)->args([
         service('phpmyfaq.user.session'),
         service('phpmyfaq.category'),
diff --git a/phpmyfaq/translations/language_de.php b/phpmyfaq/translations/language_de.php
index 4fa7973fa2..87d4c1c3a4 100755
--- a/phpmyfaq/translations/language_de.php
+++ b/phpmyfaq/translations/language_de.php
@@ -1224,7 +1224,9 @@
 
 // added v3.2.0-alpha - 2022-09-10 by Thorsten
 $PMF_LANG['msgSignInWithMicrosoft'] = 'Mit Microsoft anmelden';
+$PMF_LANG['msgSignInWithKeycloak'] = 'Mit Keycloak anmelden';
 $LANG_CONF['security.enableSignInWithMicrosoft'] = ['checkbox', 'Aktiviere Anmeldung mit Microsoft Entra ID'];
+$PMF_LANG['keycloakControlCenter'] = 'Keycloak';
 $LANG_CONF['main.enableAskQuestions'] = ['checkbox', 'Aktiviere "Frage stellen"'];
 $LANG_CONF['main.enableNotifications'] = ['checkbox', 'Aktiviere Benachrichtigungen'];
 $LANG_CONF['mail.sendTestEmail'] = ['button', 'Test-E-Mail an den Administrator über SMTP'];
@@ -1692,6 +1694,18 @@
 $LANG_CONF['oauth2.accessTokenTTL'] = ['input', 'Access-Token-TTL', 'ISO-8601-Dauer, z.B. PT1H'];
 $LANG_CONF['oauth2.refreshTokenTTL'] = ['input', 'Refresh-Token-TTL', 'ISO-8601-Dauer, z.B. P1M'];
 $LANG_CONF['oauth2.authCodeTTL'] = ['input', 'Autorisierungscode-TTL', 'ISO-8601-Dauer, z.B. PT10M'];
+$LANG_CONF['keycloak.enable'] = ['checkbox', 'Keycloak-Anmeldung aktivieren'];
+$LANG_CONF['keycloak.baseUrl'] = ['input', 'Keycloak-Basis-URL', 'Basis-URL des Keycloak-Servers, z.B. https://sso.example.com'];
+$LANG_CONF['keycloak.realm'] = ['input', 'Realm', 'Keycloak-Realm für die phpMyFAQ-Authentifizierung'];
+$LANG_CONF['keycloak.clientId'] = ['input', 'Client-ID', 'In Keycloak konfigurierte OIDC-Client-ID'];
+$LANG_CONF['keycloak.clientSecret'] = ['password', 'Client-Secret'];
+$LANG_CONF['keycloak.redirectUri'] = ['input', 'Redirect-URI', 'Im Keycloak-Client registrierte Callback-URL'];
+$LANG_CONF['keycloak.scopes'] = ['input', 'Scopes', 'Leerzeichengetrennte Scopes, z.B. openid profile email'];
+$LANG_CONF['keycloak.autoProvision'] = ['checkbox', 'phpMyFAQ-Benutzer beim ersten Keycloak-Login automatisch anlegen'];
+$LANG_CONF['keycloak.groupAutoAssign'] = ['checkbox', 'phpMyFAQ-Gruppen automatisch aus Keycloak-Rollen zuweisen'];
+$LANG_CONF['keycloak.groupSyncOnLogin'] = ['checkbox', 'Zugeordnete phpMyFAQ-Gruppen beim Login synchronisieren', 'Wenn aktiviert, entfernt phpMyFAQ beim Login veraltete Mitgliedschaften für Gruppen, die durch die Keycloak-Rollenzuordnung verwaltet werden'];
+$LANG_CONF['keycloak.groupMapping'] = ['input', 'Rollen-zu-Gruppen-Zuordnung', 'JSON-Objekt zur Abbildung von Keycloak-Rollen auf phpMyFAQ-Gruppennamen, z.B. {"admin":"Administratoren"}'];
+$LANG_CONF['keycloak.logoutRedirectUrl'] = ['input', 'Logout-Redirect-URL', 'URL für die Weiterleitung nach dem Keycloak-Logout'];
 
 $LANG_CONF['mail.provider'] = ['select', 'E-Mail-Anbieter'];
 $LANG_CONF['mail.sendgridApiKey'] = ['password', 'SendGrid API-Schlüssel'];
diff --git a/phpmyfaq/translations/language_en.php b/phpmyfaq/translations/language_en.php
index 9db8744b63..e378e81b21 100644
--- a/phpmyfaq/translations/language_en.php
+++ b/phpmyfaq/translations/language_en.php
@@ -1223,7 +1223,9 @@
 
 // added v3.2.0-alpha - 2022-09-10 by Thorsten
 $PMF_LANG['msgSignInWithMicrosoft'] = 'Sign in with Microsoft';
+$PMF_LANG['msgSignInWithKeycloak'] = 'Sign in with Keycloak';
 $LANG_CONF['security.enableSignInWithMicrosoft'] = ['checkbox', 'Enable Sign in with Microsoft Entra ID'];
+$PMF_LANG['keycloakControlCenter'] = 'Keycloak';
 $LANG_CONF['main.enableAskQuestions'] = ['checkbox', 'Enable "Ask question"'];
 $LANG_CONF['main.enableNotifications'] = ['checkbox', 'Enable notifications'];
 $LANG_CONF['mail.sendTestEmail'] = ['button', 'Send test email to the administrator via SMTP'];
@@ -1684,6 +1686,18 @@
 $LANG_CONF['oauth2.accessTokenTTL'] = ['input', 'Access token TTL', 'ISO 8601 duration, e.g. PT1H'];
 $LANG_CONF['oauth2.refreshTokenTTL'] = ['input', 'Refresh token TTL', 'ISO 8601 duration, e.g. P1M'];
 $LANG_CONF['oauth2.authCodeTTL'] = ['input', 'Authorization code TTL', 'ISO 8601 duration, e.g. PT10M'];
+$LANG_CONF['keycloak.enable'] = ['checkbox', 'Enable Keycloak sign-in'];
+$LANG_CONF['keycloak.baseUrl'] = ['input', 'Keycloak base URL', 'Base URL of the Keycloak server, e.g. https://sso.example.com'];
+$LANG_CONF['keycloak.realm'] = ['input', 'Realm', 'Keycloak realm used for phpMyFAQ authentication'];
+$LANG_CONF['keycloak.clientId'] = ['input', 'Client ID', 'OIDC client identifier configured in Keycloak'];
+$LANG_CONF['keycloak.clientSecret'] = ['password', 'Client secret'];
+$LANG_CONF['keycloak.redirectUri'] = ['input', 'Redirect URI', 'Callback URL registered in the Keycloak client'];
+$LANG_CONF['keycloak.scopes'] = ['input', 'Scopes', 'Space-separated scopes, e.g. openid profile email'];
+$LANG_CONF['keycloak.autoProvision'] = ['checkbox', 'Automatically create phpMyFAQ users on first Keycloak login'];
+$LANG_CONF['keycloak.groupAutoAssign'] = ['checkbox', 'Automatically assign phpMyFAQ groups from Keycloak roles'];
+$LANG_CONF['keycloak.groupSyncOnLogin'] = ['checkbox', 'Synchronize mapped phpMyFAQ groups on login', 'If enabled, phpMyFAQ removes stale memberships for groups managed by the Keycloak role mapping during login'];
+$LANG_CONF['keycloak.groupMapping'] = ['input', 'Role to group mapping', 'JSON object mapping Keycloak roles to phpMyFAQ group names, e.g. {"admin":"Administrators"}'];
+$LANG_CONF['keycloak.logoutRedirectUrl'] = ['input', 'Logout redirect URL', 'URL to redirect to after Keycloak logout'];
 
 $LANG_CONF['mail.provider'] = ['select', 'Mail provider'];
 $LANG_CONF['mail.sendgridApiKey'] = ['password', 'SendGrid API key'];
diff --git a/tests/phpMyFAQ/Auth/AuthKeycloakTest.php b/tests/phpMyFAQ/Auth/AuthKeycloakTest.php
new file mode 100644
index 0000000000..5a6ad096a0
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/AuthKeycloakTest.php
@@ -0,0 +1,307 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth;
+
+use Monolog\Logger;
+use phpMyFAQ\Auth\Oidc\OidcClientConfig;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Configuration;
+use phpMyFAQ\Enums\AuthenticationSourceType;
+use phpMyFAQ\Permission\MediumPermission;
+use phpMyFAQ\User;
+use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\TestCase;
+
+#[AllowMockObjectsWithoutExpectations]
+#[CoversClass(AuthKeycloak::class)]
+#[UsesClass(OidcClientConfig::class)]
+#[UsesClass(OidcProviderConfig::class)]
+final class AuthKeycloakTest extends TestCase
+{
+    public function testCheckCredentialsReturnsTrueForExistingUser(): void
+    {
+        $user = $this->createMock(User::class);
+        $user->expects($this->once())->method('getUserByLogin')->with('john', false)->willReturn(true);
+
+        $auth = new AuthKeycloak(
+            $this->createStub(Configuration::class),
+            $this->createProviderConfig(autoProvision: false),
+            ['preferred_username' => 'john'],
+            'john',
+            static fn(): User => $user,
+        );
+
+        $this->assertTrue($auth->checkCredentials('john', ''));
+    }
+
+    public function testCheckCredentialsSynchronizesGroupsForExistingUserWhenEnabled(): void
+    {
+        $configuration = $this->createStub(Configuration::class);
+        $configuration
+            ->method('get')
+            ->willReturnCallback(static fn(string $item): mixed => match ($item) {
+                'keycloak.groupSyncOnLogin' => 'true',
+                'keycloak.groupMapping' => '{"manage-users":"Administrators","faq-editors":"faq-editors"}',
+                'keycloak.clientId' => 'phpmyfaq',
+                'security.permLevel' => 'medium',
+                default => null,
+            });
+        $configuration->method('getLogger')->willReturn($this->createMock(Logger::class));
+
+        $user = $this->createMock(User::class);
+        $user->expects($this->once())->method('getUserByLogin')->with('john', false)->willReturn(true);
+        $user->expects($this->once())->method('getUserId')->willReturn(42);
+
+        $permission = $this->createMock(MediumPermission::class);
+        $permission->expects($this->once())->method('getUserGroups')->with(42)->willReturn([11]);
+        $permission->expects($this->once())->method('findOrCreateGroupByName')->with('Administrators')->willReturn(10);
+        $permission
+            ->expects($this->exactly(2))
+            ->method('getGroupId')
+            ->willReturnCallback(static fn(string $groupName): int => match ($groupName) {
+                'Administrators' => 10,
+                'faq-editors' => 11,
+                default => 0,
+            });
+        $permission->expects($this->once())->method('addToGroup')->with(42, 10);
+        $permission->expects($this->once())->method('removeFromGroup')->with(42, 11);
+
+        $auth = new AuthKeycloak(
+            $configuration,
+            $this->createProviderConfig(autoProvision: false),
+            [
+                'preferred_username' => 'john',
+                'realm_access' => ['roles' => ['manage-users']],
+                'resource_access' => ['phpmyfaq' => ['roles' => []]],
+            ],
+            'john',
+            static fn(): User => $user,
+            static fn(): MediumPermission => $permission,
+        );
+
+        $this->assertTrue($auth->checkCredentials('john', ''));
+    }
+
+    public function testCheckCredentialsReturnsFalseWhenAutoProvisionIsDisabled(): void
+    {
+        $user = $this->createMock(User::class);
+        $user->expects($this->once())->method('getUserByLogin')->with('john', false)->willReturn(false);
+
+        $auth = new AuthKeycloak(
+            $this->createStub(Configuration::class),
+            $this->createProviderConfig(autoProvision: false),
+            ['preferred_username' => 'john'],
+            'john',
+            static fn(): User => $user,
+        );
+
+        $this->assertFalse($auth->checkCredentials('john', ''));
+    }
+
+    public function testCheckCredentialsAutoProvisionsUserWhenEnabled(): void
+    {
+        $configuration = $this->createStub(Configuration::class);
+        $configuration
+            ->method('get')
+            ->willReturnCallback(static fn(string $item): mixed => match ($item) {
+                'keycloak.groupAutoAssign' => 'false',
+                'security.permLevel' => 'basic',
+                default => null,
+            });
+        $configuration->method('getLogger')->willReturn($this->createMock(Logger::class));
+
+        $user = $this->createMock(User::class);
+        $user->expects($this->once())->method('getUserByLogin')->with('john', false)->willReturn(false);
+        $user->expects($this->once())->method('createUser')->with('john', '', '')->willReturn(true);
+        $user->expects($this->once())->method('setStatus')->with('active');
+        $user->expects($this->once())->method('setAuthSource')->with(AuthenticationSourceType::AUTH_KEYCLOAK->value);
+        $user
+            ->expects($this->once())
+            ->method('setUserData')
+            ->with([
+                'display_name' => 'John Doe',
+                'email' => 'john@example.com',
+                'keycloak_sub' => 'subject-123',
+            ])
+            ->willReturn(true);
+
+        $auth = new AuthKeycloak(
+            $configuration,
+            $this->createProviderConfig(autoProvision: true),
+            [
+                'preferred_username' => 'john',
+                'name' => 'John Doe',
+                'email' => 'john@example.com',
+                'sub' => 'subject-123',
+            ],
+            'john',
+            static fn(): User => $user,
+        );
+
+        $this->assertTrue($auth->checkCredentials('john', ''));
+    }
+
+    public function testCreateAssignsMappedGroupsFromKeycloakRoles(): void
+    {
+        $configuration = $this->createStub(Configuration::class);
+        $configuration
+            ->method('get')
+            ->willReturnCallback(static fn(string $item): mixed => match ($item) {
+                'keycloak.groupAutoAssign' => 'true',
+                'keycloak.groupSyncOnLogin' => 'false',
+                'keycloak.groupMapping' => '{"manage-users":"Administrators","faq-editors":"faq-editors"}',
+                'keycloak.clientId' => 'phpmyfaq',
+                'security.permLevel' => 'medium',
+                default => null,
+            });
+        $configuration->method('getLogger')->willReturn($this->createMock(Logger::class));
+
+        $user = $this->createMock(User::class);
+        $user->expects($this->once())->method('createUser')->with('john', '', '')->willReturn(true);
+        $user->expects($this->once())->method('setStatus')->with('active');
+        $user->expects($this->once())->method('setAuthSource')->with(AuthenticationSourceType::AUTH_KEYCLOAK->value);
+        $user
+            ->expects($this->once())
+            ->method('setUserData')
+            ->with([
+                'display_name' => 'John Doe',
+                'email' => 'john@example.com',
+                'keycloak_sub' => 'subject-123',
+            ])
+            ->willReturn(true);
+        $user->expects($this->once())->method('getUserId')->willReturn(42);
+
+        $permission = $this->createMock(MediumPermission::class);
+        $permission
+            ->expects($this->exactly(2))
+            ->method('findOrCreateGroupByName')
+            ->willReturnCallback(static fn(string $groupName): int => match ($groupName) {
+                'Administrators' => 10,
+                'faq-editors' => 11,
+                default => 0,
+            });
+        $permission
+            ->expects($this->exactly(2))
+            ->method('addToGroup')
+            ->with($this->equalTo(42), $this->logicalOr($this->equalTo(10), $this->equalTo(11)));
+
+        $auth = new AuthKeycloak(
+            $configuration,
+            $this->createProviderConfig(autoProvision: true),
+            [
+                'preferred_username' => 'john',
+                'name' => 'John Doe',
+                'email' => 'john@example.com',
+                'sub' => 'subject-123',
+                'realm_access' => [
+                    'roles' => ['manage-users'],
+                ],
+                'resource_access' => [
+                    'phpmyfaq' => [
+                        'roles' => ['faq-editors'],
+                    ],
+                ],
+            ],
+            'john',
+            static fn(): User => $user,
+            static fn(): MediumPermission => $permission,
+        );
+
+        $this->assertTrue($auth->create('john', ''));
+    }
+
+    public function testCreateSynchronizesMappedGroupsWhenEnabled(): void
+    {
+        $configuration = $this->createStub(Configuration::class);
+        $configuration
+            ->method('get')
+            ->willReturnCallback(static fn(string $item): mixed => match ($item) {
+                'keycloak.groupAutoAssign' => 'true',
+                'keycloak.groupSyncOnLogin' => 'true',
+                'keycloak.groupMapping' => '{"manage-users":"Administrators","faq-editors":"faq-editors"}',
+                'keycloak.clientId' => 'phpmyfaq',
+                'security.permLevel' => 'medium',
+                default => null,
+            });
+        $configuration->method('getLogger')->willReturn($this->createMock(Logger::class));
+
+        $user = $this->createMock(User::class);
+        $user->expects($this->once())->method('createUser')->with('john', '', '')->willReturn(true);
+        $user->expects($this->once())->method('setStatus')->with('active');
+        $user->expects($this->once())->method('setAuthSource')->with(AuthenticationSourceType::AUTH_KEYCLOAK->value);
+        $user->expects($this->once())->method('setUserData')->willReturn(true);
+        $user->expects($this->once())->method('getUserId')->willReturn(42);
+
+        $permission = $this->createMock(MediumPermission::class);
+        $permission->expects($this->once())->method('getUserGroups')->with(42)->willReturn([10, 11]);
+        $permission->expects($this->once())->method('findOrCreateGroupByName')->with('Administrators')->willReturn(10);
+        $permission
+            ->expects($this->exactly(2))
+            ->method('getGroupId')
+            ->willReturnCallback(static fn(string $groupName): int => match ($groupName) {
+                'Administrators' => 10,
+                'faq-editors' => 11,
+                default => 0,
+            });
+        $permission->expects($this->never())->method('addToGroup');
+        $permission->expects($this->once())->method('removeFromGroup')->with(42, 11);
+
+        $auth = new AuthKeycloak(
+            $configuration,
+            $this->createProviderConfig(autoProvision: true),
+            [
+                'preferred_username' => 'john',
+                'name' => 'John Doe',
+                'email' => 'john@example.com',
+                'sub' => 'subject-123',
+                'realm_access' => [
+                    'roles' => ['manage-users'],
+                ],
+                'resource_access' => [
+                    'phpmyfaq' => [
+                        'roles' => [],
+                    ],
+                ],
+            ],
+            'john',
+            static fn(): User => $user,
+            static fn(): MediumPermission => $permission,
+        );
+
+        $this->assertTrue($auth->create('john', ''));
+    }
+
+    public function testIsValidLoginMatchesResolvedLogin(): void
+    {
+        $auth = new AuthKeycloak(
+            $this->createStub(Configuration::class),
+            $this->createProviderConfig(autoProvision: true),
+            ['preferred_username' => 'john'],
+            'john',
+        );
+
+        $this->assertSame(1, $auth->isValidLogin('john'));
+        $this->assertSame(0, $auth->isValidLogin('jane'));
+    }
+
+    private function createProviderConfig(bool $autoProvision): OidcProviderConfig
+    {
+        return new OidcProviderConfig(
+            'keycloak',
+            true,
+            'https://sso.example.test/realms/phpmyfaq/.well-known/openid-configuration',
+            new OidcClientConfig(
+                'phpmyfaq',
+                'secret',
+                'https://faq.example.test/auth/keycloak/callback',
+                ['openid', 'profile', 'email'],
+            ),
+            $autoProvision,
+            'https://faq.example.test/',
+        );
+    }
+}
diff --git a/tests/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactoryTest.php b/tests/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactoryTest.php
new file mode 100644
index 0000000000..98e4e9d687
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactoryTest.php
@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Keycloak;
+
+use phpMyFAQ\Auth\Oidc\OidcClientConfig;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Configuration;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\TestCase;
+
+#[CoversClass(KeycloakProviderConfigFactory::class)]
+#[UsesClass(OidcProviderConfig::class)]
+#[UsesClass(OidcClientConfig::class)]
+final class KeycloakProviderConfigFactoryTest extends TestCase
+{
+    public function testCreateBuildsKeycloakConfigFromConfiguration(): void
+    {
+        $configuration = $this->createStub(Configuration::class);
+        $configuration
+            ->method('get')
+            ->willReturnMap([
+                ['keycloak.enable',            'true'],
+                ['keycloak.baseUrl',           ' https://sso.example.com/ '],
+                ['keycloak.realm',             'faq'],
+                ['keycloak.clientId',          'pmf-web'],
+                ['keycloak.clientSecret',      'super-secret'],
+                ['keycloak.redirectUri',       'https://faq.example.com/auth/keycloak/callback'],
+                ['keycloak.scopes',            'openid profile email roles'],
+                ['keycloak.autoProvision',     '1'],
+                ['keycloak.logoutRedirectUrl', 'https://faq.example.com/logout'],
+            ]);
+
+        $factory = new KeycloakProviderConfigFactory($configuration);
+        $config = $factory->create();
+
+        $this->assertSame('keycloak', $config->provider);
+        $this->assertTrue($config->enabled);
+        $this->assertSame('https://sso.example.com/realms/faq/.well-known/openid-configuration', $config->discoveryUrl);
+        $this->assertSame('pmf-web', $config->client->clientId);
+        $this->assertSame('super-secret', $config->client->clientSecret);
+        $this->assertSame('https://faq.example.com/auth/keycloak/callback', $config->client->redirectUri);
+        $this->assertSame(['openid', 'profile', 'email', 'roles'], $config->client->scopes);
+        $this->assertSame('openid profile email roles', $config->client->getScopesAsString());
+        $this->assertTrue($config->autoProvision);
+        $this->assertSame('https://faq.example.com/logout', $config->logoutRedirectUrl);
+    }
+
+    public function testCreateFallsBackToDefaultRedirectUri(): void
+    {
+        $configuration = $this->createStub(Configuration::class);
+        $configuration
+            ->method('get')
+            ->willReturnMap([
+                ['keycloak.enable',            'false'],
+                ['keycloak.baseUrl',           'https://sso.example.com'],
+                ['keycloak.realm',             'faq'],
+                ['keycloak.clientId',          ''],
+                ['keycloak.clientSecret',      ''],
+                ['keycloak.redirectUri',       ''],
+                ['keycloak.scopes',            'openid profile email'],
+                ['keycloak.autoProvision',     'false'],
+                ['keycloak.logoutRedirectUrl', ''],
+            ]);
+        $configuration->method('getDefaultUrl')->willReturn('https://faq.example.com/');
+
+        $factory = new KeycloakProviderConfigFactory($configuration);
+        $config = $factory->create();
+
+        $this->assertFalse($config->enabled);
+        $this->assertSame('https://faq.example.com/auth/keycloak/callback', $config->client->redirectUri);
+    }
+}
diff --git a/tests/phpMyFAQ/Auth/Oidc/OidcClientTest.php b/tests/phpMyFAQ/Auth/Oidc/OidcClientTest.php
new file mode 100644
index 0000000000..8dce028af3
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/Oidc/OidcClientTest.php
@@ -0,0 +1,129 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+
+#[CoversClass(OidcClient::class)]
+#[UsesClass(OidcClientConfig::class)]
+#[UsesClass(OidcDiscoveryDocument::class)]
+#[UsesClass(OidcProviderConfig::class)]
+final class OidcClientTest extends TestCase
+{
+    public function testBuildAuthorizationUrlContainsExpectedParameters(): void
+    {
+        $client = new OidcClient(new MockHttpClient());
+        $config = new OidcProviderConfig(
+            'keycloak',
+            true,
+            'https://sso.example.test/.well-known/openid-configuration',
+            new OidcClientConfig(
+                'phpmyfaq',
+                'secret',
+                'https://faq.example.test/auth/keycloak/callback',
+                ['openid', 'profile', 'email'],
+            ),
+            true,
+            'https://faq.example.test/',
+        );
+        $discoveryDocument = new OidcDiscoveryDocument(
+            'https://sso.example.test/realms/phpmyfaq',
+            'https://sso.example.test/auth',
+            'https://sso.example.test/token',
+            'https://sso.example.test/userinfo',
+            'https://sso.example.test/jwks',
+            'https://sso.example.test/logout',
+        );
+
+        $url = $client->buildAuthorizationUrl($config, $discoveryDocument, 'state-123', 'nonce-456', 'challenge-789');
+
+        $this->assertStringStartsWith('https://sso.example.test/auth?', $url);
+        $this->assertStringContainsString('client_id=phpmyfaq', $url);
+        $this->assertStringContainsString('state=state-123', $url);
+        $this->assertStringContainsString('nonce=nonce-456', $url);
+        $this->assertStringContainsString('code_challenge=challenge-789', $url);
+        $this->assertStringContainsString('scope=openid+profile+email', $url);
+    }
+
+    public function testExchangeAuthorizationCodeReturnsDecodedTokenPayload(): void
+    {
+        $client = new OidcClient(new MockHttpClient([
+            new MockResponse('{"access_token":"access","refresh_token":"refresh","id_token":"header.payload.sig"}'),
+        ]));
+        $config = new OidcProviderConfig(
+            'keycloak',
+            true,
+            'https://sso.example.test/.well-known/openid-configuration',
+            new OidcClientConfig('phpmyfaq', 'secret', 'https://faq.example.test/callback', ['openid']),
+            true,
+            '',
+        );
+        $discoveryDocument = new OidcDiscoveryDocument(
+            'https://issuer.example.test',
+            'https://sso.example.test/auth',
+            'https://sso.example.test/token',
+            'https://sso.example.test/userinfo',
+            'https://sso.example.test/jwks',
+        );
+
+        $payload = $client->exchangeAuthorizationCode($config, $discoveryDocument, 'test-code', 'test-verifier');
+
+        $this->assertSame('access', $payload['access_token']);
+        $this->assertSame('refresh', $payload['refresh_token']);
+        $this->assertSame('header.payload.sig', $payload['id_token']);
+    }
+
+    public function testFetchUserInfoReturnsDecodedClaims(): void
+    {
+        $client = new OidcClient(new MockHttpClient([
+            new MockResponse('{"sub":"123","preferred_username":"john","email":"john@example.com"}'),
+        ]));
+        $discoveryDocument = new OidcDiscoveryDocument(
+            'https://issuer.example.test',
+            'https://sso.example.test/auth',
+            'https://sso.example.test/token',
+            'https://sso.example.test/userinfo',
+            'https://sso.example.test/jwks',
+        );
+
+        $claims = $client->fetchUserInfo($discoveryDocument, 'access-token');
+
+        $this->assertSame('123', $claims['sub']);
+        $this->assertSame('john', $claims['preferred_username']);
+        $this->assertSame('john@example.com', $claims['email']);
+    }
+
+    public function testBuildLogoutUrlIncludesRedirectTarget(): void
+    {
+        $client = new OidcClient(new MockHttpClient());
+        $config = new OidcProviderConfig(
+            'keycloak',
+            true,
+            'https://sso.example.test/.well-known/openid-configuration',
+            new OidcClientConfig('phpmyfaq', 'secret', 'https://faq.example.test/callback', ['openid']),
+            true,
+            'https://faq.example.test/',
+        );
+        $discoveryDocument = new OidcDiscoveryDocument(
+            'https://issuer.example.test',
+            'https://sso.example.test/auth',
+            'https://sso.example.test/token',
+            'https://sso.example.test/userinfo',
+            'https://sso.example.test/jwks',
+            'https://sso.example.test/logout',
+        );
+
+        $url = $client->buildLogoutUrl($config, $discoveryDocument, 'id-token');
+
+        $this->assertSame(
+            'https://sso.example.test/logout?client_id=phpmyfaq&post_logout_redirect_uri=https%3A%2F%2Ffaq.example.test%2F&id_token_hint=id-token',
+            $url,
+        );
+    }
+}
diff --git a/tests/phpMyFAQ/Auth/Oidc/OidcDiscoveryServiceTest.php b/tests/phpMyFAQ/Auth/Oidc/OidcDiscoveryServiceTest.php
new file mode 100644
index 0000000000..dbc6f06414
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/Oidc/OidcDiscoveryServiceTest.php
@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\TestCase;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+use Symfony\Contracts\HttpClient\ResponseInterface;
+
+#[CoversClass(OidcDiscoveryService::class)]
+#[UsesClass(OidcProviderConfig::class)]
+#[UsesClass(OidcDiscoveryDocument::class)]
+#[UsesClass(OidcClientConfig::class)]
+final class OidcDiscoveryServiceTest extends TestCase
+{
+    public function testDiscoverReturnsTypedDiscoveryDocument(): void
+    {
+        $response = $this->createMock(ResponseInterface::class);
+        $response->method('getStatusCode')->willReturn(200);
+        $response
+            ->expects($this->once())
+            ->method('getContent')
+            ->with(false)
+            ->willReturn(json_encode([
+                'issuer' => 'https://sso.example.com/realms/faq',
+                'authorization_endpoint' => 'https://sso.example.com/realms/faq/protocol/openid-connect/auth',
+                'token_endpoint' => 'https://sso.example.com/realms/faq/protocol/openid-connect/token',
+                'userinfo_endpoint' => 'https://sso.example.com/realms/faq/protocol/openid-connect/userinfo',
+                'jwks_uri' => 'https://sso.example.com/realms/faq/protocol/openid-connect/certs',
+                'end_session_endpoint' => 'https://sso.example.com/realms/faq/protocol/openid-connect/logout',
+            ], JSON_THROW_ON_ERROR));
+
+        $httpClient = $this->createMock(HttpClientInterface::class);
+        $httpClient
+            ->expects($this->once())
+            ->method('request')
+            ->with('GET', 'https://sso.example.com/realms/faq/.well-known/openid-configuration')
+            ->willReturn($response);
+
+        $service = new OidcDiscoveryService($httpClient);
+        $document = $service->discover(new OidcProviderConfig(
+            provider: 'keycloak',
+            enabled: true,
+            discoveryUrl: 'https://sso.example.com/realms/faq/.well-known/openid-configuration',
+            client: new OidcClientConfig(
+                clientId: 'pmf-web',
+                clientSecret: 'secret',
+                redirectUri: 'https://faq.example.com/auth/keycloak/callback',
+                scopes: ['openid', 'profile', 'email'],
+            ),
+            autoProvision: false,
+            logoutRedirectUrl: '',
+        ));
+
+        $this->assertSame('https://sso.example.com/realms/faq', $document->issuer);
+        $this->assertStringContainsString('/auth', $document->authorizationEndpoint);
+        $this->assertStringContainsString('/token', $document->tokenEndpoint);
+        $this->assertStringContainsString('/userinfo', $document->userInfoEndpoint);
+        $this->assertStringContainsString('/certs', $document->jwksUri);
+        $this->assertStringContainsString('/logout', (string) $document->endSessionEndpoint);
+    }
+
+    public function testDiscoverThrowsForInvalidJson(): void
+    {
+        $response = $this->createMock(ResponseInterface::class);
+        $response->method('getStatusCode')->willReturn(200);
+        $response->expects($this->once())->method('getContent')->with(false)->willReturn('not-json');
+
+        $httpClient = $this->createStub(HttpClientInterface::class);
+        $httpClient->method('request')->willReturn($response);
+
+        $service = new OidcDiscoveryService($httpClient);
+
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionMessage('OIDC discovery response is not valid JSON');
+
+        $service->discover(new OidcProviderConfig(
+            provider: 'keycloak',
+            enabled: true,
+            discoveryUrl: 'https://sso.example.com/realms/faq/.well-known/openid-configuration',
+            client: new OidcClientConfig(
+                clientId: 'pmf-web',
+                clientSecret: 'secret',
+                redirectUri: 'https://faq.example.com/auth/keycloak/callback',
+                scopes: ['openid'],
+            ),
+            autoProvision: false,
+            logoutRedirectUrl: '',
+        ));
+    }
+}
diff --git a/tests/phpMyFAQ/Auth/Oidc/OidcIdTokenValidatorTest.php b/tests/phpMyFAQ/Auth/Oidc/OidcIdTokenValidatorTest.php
new file mode 100644
index 0000000000..7c5f225e68
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/Oidc/OidcIdTokenValidatorTest.php
@@ -0,0 +1,329 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use OpenSSLAsymmetricKey;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+
+#[CoversClass(OidcIdTokenValidator::class)]
+#[UsesClass(OidcDiscoveryDocument::class)]
+final class OidcIdTokenValidatorTest extends TestCase
+{
+    private OpenSSLAsymmetricKey $privateKey;
+
+    /** @var array<string, mixed> */
+    private array $jwk;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        set_error_handler(static fn(): bool => true);
+        try {
+            $privateKey = openssl_pkey_new([
+                'private_key_type' => OPENSSL_KEYTYPE_RSA,
+                'private_key_bits' => 2048,
+            ]);
+        } finally {
+            restore_error_handler();
+        }
+
+        self::assertInstanceOf(OpenSSLAsymmetricKey::class, $privateKey);
+        $details = openssl_pkey_get_details($privateKey);
+        self::assertIsArray($details);
+        self::assertIsArray($details['rsa'] ?? null);
+
+        $this->privateKey = $privateKey;
+        $this->jwk = [
+            'kty' => 'RSA',
+            'kid' => 'test-key',
+            'alg' => 'RS256',
+            'use' => 'sig',
+            'n' => $this->base64UrlEncode($details['rsa']['n']),
+            'e' => $this->base64UrlEncode($details['rsa']['e']),
+        ];
+    }
+
+    public function testValidateReturnsClaimsForValidIdToken(): void
+    {
+        $validator = $this->createValidator([
+            'keys' => [$this->jwk],
+        ], 1_700_000_000);
+
+        $claims = $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_699_999_990,
+                'nbf' => 1_699_999_990,
+                'exp' => 1_700_000_060,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+
+        self::assertSame('https://sso.example.test/realms/phpmyfaq', $claims['iss']);
+    }
+
+    public function testValidateRejectsExpiredToken(): void
+    {
+        $validator = $this->createValidator([
+            'keys' => [$this->jwk],
+        ], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token has expired'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_699_999_900,
+                'exp' => 1_699_999_999,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsTokenThatIsNotValidYet(): void
+    {
+        $validator = $this->createValidator([
+            'keys' => [$this->jwk],
+        ], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token is not valid yet'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_699_999_990,
+                'nbf' => 1_700_000_001,
+                'exp' => 1_700_000_060,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsFutureIssuedAtTime(): void
+    {
+        $validator = $this->createValidator([
+            'keys' => [$this->jwk],
+        ], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token issued-at time is in the future'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_700_000_061,
+                'exp' => 1_700_000_120,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsInvalidSignature(): void
+    {
+        set_error_handler(static fn(): bool => true);
+        try {
+            $otherKey = openssl_pkey_new([
+                'private_key_type' => OPENSSL_KEYTYPE_RSA,
+                'private_key_bits' => 2048,
+            ]);
+        } finally {
+            restore_error_handler();
+        }
+        self::assertInstanceOf(OpenSSLAsymmetricKey::class, $otherKey);
+
+        $validator = $this->createValidator([
+            'keys' => [$this->jwk],
+        ], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token signature validation failed'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_699_999_990,
+                'exp' => 1_700_000_060,
+            ], $otherKey),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsEmptyIdToken(): void
+    {
+        $validator = $this->createValidator(['keys' => [$this->jwk]], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token is missing'));
+
+        $validator->validate('', $this->createDiscoveryDocument(), 'phpmyfaq', 'nonce-123');
+    }
+
+    public function testValidateRejectsMissingSubjectClaim(): void
+    {
+        $validator = $this->createValidator(['keys' => [$this->jwk]], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token is missing the subject claim'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_699_999_990,
+                'exp' => 1_700_000_060,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsMissingNonceClaimWhenExpected(): void
+    {
+        $validator = $this->createValidator(['keys' => [$this->jwk]], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token is missing the nonce claim'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'iat' => 1_699_999_990,
+                'exp' => 1_700_000_060,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsMissingIssuedAtClaim(): void
+    {
+        $validator = $this->createValidator(['keys' => [$this->jwk]], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token is missing the issued-at claim'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'exp' => 1_700_000_060,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    public function testValidateRejectsIssuedAtTooFarInThePast(): void
+    {
+        $validator = $this->createValidator(['keys' => [$this->jwk]], 1_700_000_000);
+
+        $this->expectExceptionObject(new \RuntimeException('OIDC id_token issued-at time is too far in the past'));
+
+        $validator->validate(
+            $this->signToken([
+                'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                'sub' => 'subject-123',
+                'aud' => ['phpmyfaq'],
+                'azp' => 'phpmyfaq',
+                'nonce' => 'nonce-123',
+                'iat' => 1_700_000_000 - 86_401,
+                'exp' => 1_700_000_060,
+            ]),
+            $this->createDiscoveryDocument(),
+            'phpmyfaq',
+            'nonce-123',
+        );
+    }
+
+    private function createDiscoveryDocument(): OidcDiscoveryDocument
+    {
+        return new OidcDiscoveryDocument(
+            issuer: 'https://sso.example.test/realms/phpmyfaq',
+            authorizationEndpoint: 'https://sso.example.test/auth',
+            tokenEndpoint: 'https://sso.example.test/token',
+            userInfoEndpoint: 'https://sso.example.test/userinfo',
+            jwksUri: 'https://sso.example.test/jwks',
+            endSessionEndpoint: 'https://sso.example.test/logout',
+        );
+    }
+
+    /**
+     * @param array<string, mixed> $jwks
+     */
+    private function createValidator(array $jwks, int $now): OidcIdTokenValidator
+    {
+        $httpClient = new MockHttpClient([
+            new MockResponse(json_encode($jwks, JSON_THROW_ON_ERROR)),
+        ]);
+
+        return new OidcIdTokenValidator($httpClient, static fn(): int => $now);
+    }
+
+    /**
+     * @param array<string, mixed> $claims
+     */
+    private function signToken(array $claims, ?OpenSSLAsymmetricKey $signingKey = null): string
+    {
+        $header = [
+            'alg' => 'RS256',
+            'typ' => 'JWT',
+            'kid' => 'test-key',
+        ];
+
+        $encodedHeader = $this->base64UrlEncode(json_encode($header, JSON_THROW_ON_ERROR));
+        $encodedPayload = $this->base64UrlEncode(json_encode($claims, JSON_THROW_ON_ERROR));
+        $signingInput = $encodedHeader . '.' . $encodedPayload;
+
+        $signature = '';
+        openssl_sign($signingInput, $signature, $signingKey ?? $this->privateKey, OPENSSL_ALGO_SHA256);
+
+        return $signingInput . '.' . $this->base64UrlEncode($signature);
+    }
+
+    private function base64UrlEncode(string $value): string
+    {
+        return rtrim(strtr(base64_encode($value), '+/', '-_'), '=');
+    }
+}
diff --git a/tests/phpMyFAQ/Auth/Oidc/OidcPkceGeneratorTest.php b/tests/phpMyFAQ/Auth/Oidc/OidcPkceGeneratorTest.php
new file mode 100644
index 0000000000..06ae539ae0
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/Oidc/OidcPkceGeneratorTest.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\TestCase;
+
+#[CoversClass(OidcPkceGenerator::class)]
+final class OidcPkceGeneratorTest extends TestCase
+{
+    public function testGenerateVerifierReturnsExpectedLengthAndCharset(): void
+    {
+        $generator = new OidcPkceGenerator();
+        $verifier = $generator->generateVerifier(64);
+
+        $this->assertSame(64, strlen($verifier));
+        $this->assertSame(1, preg_match('/^[A-Za-z0-9\\-._~]+$/', $verifier));
+    }
+
+    public function testGenerateChallengeMatchesRfcExample(): void
+    {
+        $generator = new OidcPkceGenerator();
+
+        $this->assertSame(
+            'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM',
+            $generator->generateChallenge('dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'),
+        );
+    }
+}
diff --git a/tests/phpMyFAQ/Auth/Oidc/OidcSessionTest.php b/tests/phpMyFAQ/Auth/Oidc/OidcSessionTest.php
new file mode 100644
index 0000000000..0e482ecd22
--- /dev/null
+++ b/tests/phpMyFAQ/Auth/Oidc/OidcSessionTest.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+
+#[CoversClass(OidcSession::class)]
+final class OidcSessionTest extends TestCase
+{
+    public function testSetAndClearAuthorizationState(): void
+    {
+        $session = new OidcSession(new Session(new MockArraySessionStorage()));
+        $session->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $this->assertSame(
+            [
+                'state' => 'state-123',
+                'nonce' => 'nonce-456',
+                'verifier' => 'verifier-789',
+            ],
+            $session->getAuthorizationState(),
+        );
+
+        $session->clearAuthorizationState();
+
+        $this->assertSame(
+            [
+                'state' => '',
+                'nonce' => '',
+                'verifier' => '',
+            ],
+            $session->getAuthorizationState(),
+        );
+    }
+
+    public function testSetAndClearIdToken(): void
+    {
+        $session = new OidcSession(new Session(new MockArraySessionStorage()));
+
+        $session->setIdToken('id-token-123');
+        $this->assertSame('id-token-123', $session->getIdToken());
+
+        $session->clearIdToken();
+        $this->assertSame('', $session->getIdToken());
+    }
+}
diff --git a/tests/phpMyFAQ/Configuration/ConfigurationMethodsTraitTest.php b/tests/phpMyFAQ/Configuration/ConfigurationMethodsTraitTest.php
index cf429ec3c2..9488d26f98 100644
--- a/tests/phpMyFAQ/Configuration/ConfigurationMethodsTraitTest.php
+++ b/tests/phpMyFAQ/Configuration/ConfigurationMethodsTraitTest.php
@@ -434,6 +434,12 @@ public function testIsSignInWithMicrosoftActive(): void
         $this->assertTrue($this->subject->isSignInWithMicrosoftActive());
     }
 
+    public function testIsSignInWithKeycloakActive(): void
+    {
+        $this->securitySettings->method('isSignInWithKeycloakActive')->willReturn(true);
+        $this->assertTrue($this->subject->isSignInWithKeycloakActive());
+    }
+
     // --- Translation Provider ---
 
     public function testSetAndGetTranslationProvider(): void
diff --git a/tests/phpMyFAQ/Configuration/SettingsValueObjectsTest.php b/tests/phpMyFAQ/Configuration/SettingsValueObjectsTest.php
index 6797a3b2a8..501ac8b646 100644
--- a/tests/phpMyFAQ/Configuration/SettingsValueObjectsTest.php
+++ b/tests/phpMyFAQ/Configuration/SettingsValueObjectsTest.php
@@ -55,6 +55,15 @@ public function testSecuritySettingsDetectsMicrosoftSignInFlag(): void
         $this->assertTrue($settings->isSignInWithMicrosoftActive());
     }
 
+    public function testSecuritySettingsDetectsKeycloakSignInFlag(): void
+    {
+        $settings = new SecuritySettings($this->createConfigurationStub([
+            'keycloak.enable' => true,
+        ]));
+
+        $this->assertTrue($settings->isSignInWithKeycloakActive());
+    }
+
     public function testUrlSettingsNormalizeReferenceUrlAndAllowedMediaHosts(): void
     {
         $settings = new UrlSettings($this->createConfigurationStub([
diff --git a/tests/phpMyFAQ/Controller/Administration/Api/ConfigurationTabControllerTest.php b/tests/phpMyFAQ/Controller/Administration/Api/ConfigurationTabControllerTest.php
index 8898155219..6c10c34a54 100644
--- a/tests/phpMyFAQ/Controller/Administration/Api/ConfigurationTabControllerTest.php
+++ b/tests/phpMyFAQ/Controller/Administration/Api/ConfigurationTabControllerTest.php
@@ -223,6 +223,30 @@ public function testListReturnsRenderedConfigurationTabForAuthenticatedUser(): v
         self::assertStringContainsString('data-config-key="security.permLevel"', (string) $response->getContent());
     }
 
+    /**
+     * @throws \Exception
+     */
+    public function testListReturnsRenderedKeycloakConfigurationTabForAuthenticatedUser(): void
+    {
+        $language = $this->createStub(Language::class);
+        $language->method('setLanguageByAcceptLanguage')->willReturn('en');
+
+        $controller = $this->createControllerWithLanguage($language);
+        $controller->setContainer($this->createAuthenticatedContainer());
+
+        $request = new Request([], [], ['mode' => 'keycloak']);
+        $response = $controller->list($request);
+
+        self::assertSame(Response::HTTP_OK, $response->getStatusCode());
+        self::assertStringContainsString('data-config-key="keycloak.enable"', (string) $response->getContent());
+        self::assertStringContainsString('data-config-key="keycloak.clientId"', (string) $response->getContent());
+        self::assertStringContainsString(
+            'data-config-key="keycloak.groupSyncOnLogin"',
+            (string) $response->getContent(),
+        );
+        self::assertStringContainsString('data-config-key="keycloak.groupMapping"', (string) $response->getContent());
+    }
+
     /**
      * @throws \Exception
      */
diff --git a/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerTest.php b/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerTest.php
index 9a14e83f41..a88cb65f63 100644
--- a/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerTest.php
+++ b/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerTest.php
@@ -5,6 +5,7 @@
 namespace phpMyFAQ\Controller\Administration;
 
 use phpMyFAQ\Administration\AdminLog;
+use phpMyFAQ\Administration\AdminMenuBuilder;
 use phpMyFAQ\Configuration;
 use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Database;
@@ -166,6 +167,24 @@ public function testLoginReturnsResponse(): void
         self::assertSame(Response::HTTP_OK, $response->getStatusCode());
     }
 
+    /**
+     * @throws \Exception
+     */
+    public function testLoginRendersKeycloakSignInButtonWhenEnabled(): void
+    {
+        $request = new Request();
+        $controller = $this->createController();
+        $controller->setContainer($this->createControllerContainer(currentUser: $this->createLoggedOutCurrentUser(), configurationValues: [
+            'keycloak.enable' => true,
+        ]));
+
+        $response = $controller->login($request);
+
+        self::assertInstanceOf(Response::class, $response);
+        self::assertStringContainsString('../auth/keycloak/authorize', (string) $response->getContent());
+        self::assertStringContainsString('Sign in with Keycloak', (string) $response->getContent());
+    }
+
     /**
      * @throws \Exception
      */
@@ -233,6 +252,84 @@ public function testLogoutUsesSsoRedirectWhenConfigured(): void
         self::assertSame($this->configuration->getDefaultUrl() . 'admin/login', $response->getTargetUrl());
     }
 
+    /**
+     * @throws \Exception
+     */
+    public function testLogoutRedirectsToKeycloakLogoutWhenKeycloakUserLogsOut(): void
+    {
+        $currentUser = $this->createLoggedInCurrentUser('keycloak');
+        $currentUser->expects(self::once())->method('deleteFromSession')->with(true);
+
+        $session = new Session(new MockArraySessionStorage());
+        $csrfToken = $this->seedAdminLogoutToken($session);
+
+        $controller = $this->createController();
+        $controller->setContainer($this->createControllerContainer(
+            currentUser: $currentUser,
+            configurationValues: ['keycloak.enable' => true],
+            session: $session,
+        ));
+
+        ob_start();
+        $response = $controller->logout(new Request(['csrf' => $csrfToken]));
+        ob_end_clean();
+
+        self::assertInstanceOf(RedirectResponse::class, $response);
+        self::assertSame($this->configuration->getDefaultUrl() . 'auth/keycloak/logout', $response->getTargetUrl());
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function testLogoutStaysLocalWhenKeycloakIsEnabledButUserUsesDifferentAuthSource(): void
+    {
+        $currentUser = $this->createLoggedInCurrentUser('local');
+        $currentUser->expects(self::once())->method('deleteFromSession')->with(true);
+
+        $session = new Session(new MockArraySessionStorage());
+        $csrfToken = $this->seedAdminLogoutToken($session);
+
+        $controller = $this->createController();
+        $controller->setContainer($this->createControllerContainer(
+            currentUser: $currentUser,
+            configurationValues: ['keycloak.enable' => true],
+            session: $session,
+        ));
+
+        ob_start();
+        $response = $controller->logout(new Request(['csrf' => $csrfToken]));
+        ob_end_clean();
+
+        self::assertInstanceOf(RedirectResponse::class, $response);
+        self::assertSame($this->configuration->getDefaultUrl() . 'admin/login', $response->getTargetUrl());
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function testLogoutStaysLocalWhenKeycloakUserLogsOutButKeycloakIsDisabled(): void
+    {
+        $currentUser = $this->createLoggedInCurrentUser('keycloak');
+        $currentUser->expects(self::once())->method('deleteFromSession')->with(true);
+
+        $session = new Session(new MockArraySessionStorage());
+        $csrfToken = $this->seedAdminLogoutToken($session);
+
+        $controller = $this->createController();
+        $controller->setContainer($this->createControllerContainer(
+            currentUser: $currentUser,
+            configurationValues: ['keycloak.enable' => false],
+            session: $session,
+        ));
+
+        ob_start();
+        $response = $controller->logout(new Request(['csrf' => $csrfToken]));
+        ob_end_clean();
+
+        self::assertInstanceOf(RedirectResponse::class, $response);
+        self::assertSame($this->configuration->getDefaultUrl() . 'admin/login', $response->getTargetUrl());
+    }
+
     /**
      * @throws \Exception
      */
@@ -364,16 +461,21 @@ private function createControllerContainer(
 
         $session ??= new Session(new MockArraySessionStorage());
         $adminLog = $this->createStub(AdminLog::class);
+        $adminHelper = $this->createMock(AdminMenuBuilder::class);
+        $adminHelper->method('setUser');
+        $adminHelper->method('canAccessContent')->willReturn(false);
+        $adminHelper->method('addMenuEntry')->willReturn('');
 
         $container = $this->createStub(ContainerInterface::class);
         $container
             ->method('get')
-            ->willReturnCallback(function (string $id) use ($currentUser, $session, $adminLog) {
+            ->willReturnCallback(function (string $id) use ($currentUser, $session, $adminLog, $adminHelper) {
                 return match ($id) {
                     'phpmyfaq.configuration' => $this->configuration,
                     'phpmyfaq.user.current_user' => $currentUser,
                     'session' => $session,
                     'phpmyfaq.admin.admin-log' => $adminLog,
+                    'phpmyfaq.admin.helper' => $adminHelper,
                     default => null,
                 };
             });
@@ -417,7 +519,7 @@ private function createLoggedOutCurrentUser(): CurrentUser
         return $currentUser;
     }
 
-    private function createLoggedInCurrentUser(): CurrentUser
+    private function createLoggedInCurrentUser(string $authSource = 'local'): CurrentUser
     {
         $permission = $this->createMock(PermissionInterface::class);
 
@@ -428,6 +530,7 @@ private function createLoggedInCurrentUser(): CurrentUser
         $currentUser->method('getUserId')->willReturn(1);
         $currentUser->method('getUserData')->willReturn('');
         $currentUser->method('getLogin')->willReturn('admin');
+        $currentUser->method('getUserAuthSource')->willReturn($authSource);
 
         return $currentUser;
     }
diff --git a/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerWebTest.php b/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerWebTest.php
index ab13194328..88eaf47902 100644
--- a/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerWebTest.php
+++ b/tests/phpMyFAQ/Controller/Administration/AuthenticationControllerWebTest.php
@@ -14,19 +14,35 @@
 #[UsesClass(AbstractAdministrationController::class)]
 final class AuthenticationControllerWebTest extends ControllerWebTestCase
 {
-    public function testAdminLoginPageIsReachable(): void
+    public function testLoginShowsKeycloakAffordanceWhenEnabled(): void
     {
-        $response = $this->requestAdmin('GET', '/login');
+        $this->overrideConfigurationValues([
+            'keycloak.enable' => true,
+        ], 'admin');
+
+        $response = $this->requestAdminGuest('GET', '/login');
 
         self::assertResponseIsSuccessful($response);
-        self::assertResponseContains('admin/authenticate', $response);
+        self::assertMatchesRegularExpression(
+            '/href="[^"]*auth\/keycloak\/authorize"/',
+            (string) $response->getContent(),
+        );
+        $this->assertResponseContains('Sign in with Keycloak', $response);
     }
 
-    public function testAdminAuthenticateWithoutCredentialsRedirectsToDashboard(): void
+    public function testLoginHidesKeycloakAffordanceWhenDisabled(): void
     {
-        $response = $this->requestAdmin('POST', '/authenticate');
+        $this->overrideConfigurationValues([
+            'keycloak.enable' => false,
+        ], 'admin');
+
+        $response = $this->requestAdminGuest('GET', '/login');
 
-        self::assertResponseStatusCodeSame(302, $response);
-        self::assertRedirectLocationContains('./', $response);
+        self::assertResponseIsSuccessful($response);
+        self::assertDoesNotMatchRegularExpression(
+            '/href="[^"]*auth\/keycloak\/authorize"/',
+            (string) $response->getContent(),
+        );
+        self::assertStringNotContainsString('Sign in with Keycloak', (string) $response->getContent());
     }
 }
diff --git a/tests/phpMyFAQ/Controller/Administration/ConfigurationControllerWebTest.php b/tests/phpMyFAQ/Controller/Administration/ConfigurationControllerWebTest.php
index 7c50276765..0879b53469 100644
--- a/tests/phpMyFAQ/Controller/Administration/ConfigurationControllerWebTest.php
+++ b/tests/phpMyFAQ/Controller/Administration/ConfigurationControllerWebTest.php
@@ -21,5 +21,6 @@ public function testConfigurationPageRenders(): void
         self::assertResponseIsSuccessful($response);
         self::assertResponseContains('id="save-configuration"', $response);
         self::assertResponseContains('href="#oauth2"', $response);
+        self::assertResponseContains('href="#keycloak"', $response);
     }
 }
diff --git a/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerTest.php b/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerTest.php
index c924bcc933..110c12ab3b 100644
--- a/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerTest.php
+++ b/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerTest.php
@@ -121,6 +121,25 @@ public function testLoginRendersFlashErrorMessage(): void
         self::assertStringContainsString('Wrong username or password.', (string) $response->getContent());
     }
 
+    /**
+     * @throws \Exception
+     */
+    public function testLoginRendersKeycloakSignInButtonWhenEnabled(): void
+    {
+        $controller = $this->createController();
+        $controller->setContainer($this->createControllerContainer(
+            new Session(new MockArraySessionStorage()),
+            $this->createLoggedOutCurrentUser(),
+            ['keycloak.enable' => true],
+        ));
+
+        $response = $controller->login(new Request());
+
+        self::assertSame(Response::HTTP_OK, $response->getStatusCode());
+        self::assertStringContainsString('./auth/keycloak/authorize', (string) $response->getContent());
+        self::assertStringContainsString('Sign in with Keycloak', (string) $response->getContent());
+    }
+
     /**
      * @throws \Exception
      */
@@ -198,6 +217,31 @@ public function testLogoutReturnsDefaultRedirectWhenUserIsLoggedOutWithValidCsrf
         self::assertSame($this->configuration->getDefaultUrl(), $response->getTargetUrl());
     }
 
+    /**
+     * @throws \Exception
+     */
+    public function testLogoutRedirectsToKeycloakLogoutWhenKeycloakUserLogsOut(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        Token::resetInstanceForTests();
+        $token = Token::getInstance($session)->getTokenString('logout');
+        $_COOKIE['pmf-csrf-token-' . substr(md5('logout'), 0, 10)] = $token;
+
+        $currentUser = $this->createLoggedInCurrentUser('keycloak');
+        $currentUser->expects(self::once())->method('deleteFromSession')->with(true);
+
+        $controller = $this->createController();
+        $controller->setContainer($this->createControllerContainer($session, $currentUser, [
+            'keycloak.enable' => true,
+        ]));
+
+        $response = $controller->logout(new Request(['csrf' => $token]));
+
+        self::assertSame($this->configuration->getDefaultUrl() . 'auth/keycloak/logout', $response->getTargetUrl());
+        self::assertNotEmpty($session->getFlashBag()->get('success'));
+    }
+
     /**
      * @throws \Exception
      */
diff --git a/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerWebTest.php b/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerWebTest.php
index 4a7e875d0e..41ebc8a45a 100644
--- a/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerWebTest.php
+++ b/tests/phpMyFAQ/Controller/Frontend/AuthenticationControllerWebTest.php
@@ -56,20 +56,48 @@
 #[UsesClass(\phpMyFAQ\User\UserSession::class)]
 final class AuthenticationControllerWebTest extends ControllerWebTestCase
 {
-    public function testLoginPageShowsRegistrationAndPasskeyActionsWhenEnabled(): void
+    public function testLoginPageShowsRegistrationActionWhenEnabled(): void
     {
         $this->getConfiguration()->getAll();
         $this->overrideConfigurationValues([
             'main.enableUserTracking' => false,
             'security.enableRegistration' => true,
-            'security.enableWebAuthnSupport' => true,
         ]);
 
         $response = $this->requestPublic('GET', '/login');
 
         self::assertResponseIsSuccessful($response);
         self::assertResponseContains('href="user/register"', $response);
-        self::assertResponseContains('./services/webauthn', $response);
+    }
+
+    public function testLoginPageShowsKeycloakSignInWhenEnabled(): void
+    {
+        $this->getConfiguration()->getAll();
+        $this->overrideConfigurationValues([
+            'main.enableUserTracking' => false,
+            'keycloak.enable' => true,
+        ]);
+
+        $response = $this->requestPublic('GET', '/login');
+
+        self::assertResponseIsSuccessful($response);
+        self::assertResponseContains('./auth/keycloak/authorize', $response);
+        self::assertResponseContains('Sign in with Keycloak', $response);
+    }
+
+    public function testLoginPageHidesKeycloakSignInWhenDisabled(): void
+    {
+        $this->getConfiguration()->getAll();
+        $this->overrideConfigurationValues([
+            'main.enableUserTracking' => false,
+            'keycloak.enable' => false,
+        ]);
+
+        $response = $this->requestPublic('GET', '/login');
+
+        self::assertResponseIsSuccessful($response);
+        self::assertStringNotContainsString('./auth/keycloak/authorize', $response->getContent());
+        self::assertStringNotContainsString('Sign in with Keycloak', $response->getContent());
     }
 
     public function testLoginRedirectsToAuthenticateWhenSsoUserIsPresent(): void
diff --git a/tests/phpMyFAQ/Controller/Frontend/AzureAuthenticationControllerTest.php b/tests/phpMyFAQ/Controller/Frontend/AzureAuthenticationControllerTest.php
index 80bfc9b576..013a5ee74d 100644
--- a/tests/phpMyFAQ/Controller/Frontend/AzureAuthenticationControllerTest.php
+++ b/tests/phpMyFAQ/Controller/Frontend/AzureAuthenticationControllerTest.php
@@ -133,8 +133,8 @@ public function testCallbackReturnsErrorResponseWhenProviderErrorIsSet(): void
         $request = new Request(['error_description' => 'Denied by provider']);
         $response = $controller->callback($request);
 
-        $this->assertInstanceOf(Response::class, $response);
-        $this->assertSame('Denied by provider', $response->getContent());
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
     }
 
     /**
diff --git a/tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerTest.php b/tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerTest.php
new file mode 100644
index 0000000000..03dca1a8b5
--- /dev/null
+++ b/tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerTest.php
@@ -0,0 +1,715 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Controller\Frontend;
+
+use OpenSSLAsymmetricKey;
+use phpMyFAQ\Auth\Keycloak\KeycloakProviderConfigFactory;
+use phpMyFAQ\Auth\Oidc\OidcClient;
+use phpMyFAQ\Auth\Oidc\OidcDiscoveryService;
+use phpMyFAQ\Auth\Oidc\OidcIdTokenValidator;
+use phpMyFAQ\Auth\Oidc\OidcPkceGenerator;
+use phpMyFAQ\Auth\Oidc\OidcSession;
+use phpMyFAQ\Configuration;
+use phpMyFAQ\Core\Exception as CoreException;
+use phpMyFAQ\Database\Sqlite3;
+use phpMyFAQ\Strings;
+use phpMyFAQ\Translation;
+use phpMyFAQ\User;
+use phpMyFAQ\User\CurrentUser;
+use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\Attributes\UsesNamespace;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+
+#[AllowMockObjectsWithoutExpectations]
+#[CoversClass(KeycloakAuthenticationController::class)]
+#[UsesClass(OidcIdTokenValidator::class)]
+#[UsesNamespace('phpMyFAQ')]
+final class KeycloakAuthenticationControllerTest extends TestCase
+{
+    private Configuration $configuration;
+    private OpenSSLAsymmetricKey $privateKey;
+
+    /** @var array<string, mixed> */
+    private array $jwk;
+
+    /**
+     * @throws CoreException
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        Strings::init('en');
+        Translation::create()
+            ->setTranslationsDir(PMF_TRANSLATION_DIR)
+            ->setDefaultLanguage('en')
+            ->setCurrentLanguage('en')
+            ->setMultiByteLanguage();
+
+        try {
+            $this->configuration = Configuration::getConfigurationInstance();
+        } catch (\TypeError) {
+            $dbHandle = new Sqlite3();
+            $dbHandle->connect(PMF_TEST_DIR . '/test.db', '', '');
+            $this->configuration = new Configuration($dbHandle);
+        }
+
+        $reflection = new \ReflectionClass(Configuration::class);
+        $property = $reflection->getProperty('config');
+        /** @var array<string, mixed> $config */
+        $config = $property->getValue($this->configuration);
+        $config['keycloak.enable'] = 'true';
+        $config['keycloak.baseUrl'] = 'https://sso.example.test';
+        $config['keycloak.realm'] = 'phpmyfaq';
+        $config['keycloak.clientId'] = 'phpmyfaq';
+        $config['keycloak.clientSecret'] = 'secret';
+        $config['keycloak.redirectUri'] = 'https://faq.example.test/auth/keycloak/callback';
+        $config['keycloak.scopes'] = 'openid profile email';
+        $config['keycloak.autoProvision'] = 'true';
+        $config['keycloak.logoutRedirectUrl'] = 'https://faq.example.test/';
+        $property->setValue($this->configuration, $config);
+
+        set_error_handler(static fn(): bool => true);
+        try {
+            $privateKey = openssl_pkey_new([
+                'private_key_type' => OPENSSL_KEYTYPE_RSA,
+                'private_key_bits' => 2048,
+            ]);
+        } finally {
+            restore_error_handler();
+        }
+
+        self::assertInstanceOf(OpenSSLAsymmetricKey::class, $privateKey);
+        $details = openssl_pkey_get_details($privateKey);
+        self::assertIsArray($details);
+        self::assertIsArray($details['rsa'] ?? null);
+
+        $this->privateKey = $privateKey;
+        $this->jwk = [
+            'kty' => 'RSA',
+            'kid' => 'test-key',
+            'alg' => 'RS256',
+            'use' => 'sig',
+            'n' => $this->base64UrlEncode($details['rsa']['n']),
+            'e' => $this->base64UrlEncode($details['rsa']['e']),
+        ];
+    }
+
+    public function testAuthorizeReturnsRedirectResponse(): void
+    {
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+        ]);
+
+        $response = $controller->authorize();
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertStringStartsWith('https://sso.example.test/auth?', (string) $response->headers->get('Location'));
+        $this->assertStringContainsString('client_id=phpmyfaq', (string) $response->headers->get('Location'));
+    }
+
+    public function testLogoutReturnsProviderLogoutResponse(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setIdToken('session-id-token');
+
+        $currentUser = $this->createMock(CurrentUser::class);
+        $currentUser->expects($this->never())->method('getUserData');
+        $currentUser->expects($this->once())->method('deleteFromSession');
+
+        $controller = $this->createController(
+            [
+                new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+            ],
+            $oidcSession,
+            static fn(): CurrentUser => $currentUser,
+        );
+
+        $response = $controller->logout();
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame(
+            'https://sso.example.test/logout?client_id=phpmyfaq&post_logout_redirect_uri=https%3A%2F%2Ffaq.example.test%2F&id_token_hint=session-id-token',
+            $response->headers->get('Location'),
+        );
+        $this->assertSame('', $oidcSession->getIdToken());
+    }
+
+    public function testLogoutClearsLocalSessionWhenProviderIsDisabled(): void
+    {
+        $reflection = new \ReflectionClass(Configuration::class);
+        $property = $reflection->getProperty('config');
+        /** @var array<string, mixed> $config */
+        $config = $property->getValue($this->configuration);
+        $previousEnable = $config['keycloak.enable'] ?? null;
+        $config['keycloak.enable'] = 'false';
+        $property->setValue($this->configuration, $config);
+
+        try {
+            $session = new Session(new MockArraySessionStorage());
+            $session->start();
+            $oidcSession = new OidcSession($session);
+            $oidcSession->setIdToken('session-id-token');
+
+            $currentUser = $this->createMock(CurrentUser::class);
+            $currentUser->expects($this->once())->method('deleteFromSession');
+
+            $controller = $this->createController([], $oidcSession, static fn(): CurrentUser => $currentUser);
+
+            $response = $controller->logout();
+
+            $this->assertInstanceOf(RedirectResponse::class, $response);
+            $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+            $this->assertSame('', $oidcSession->getIdToken());
+        } finally {
+            /** @var array<string, mixed> $restoredConfig */
+            $restoredConfig = $property->getValue($this->configuration);
+            if ($previousEnable === null) {
+                unset($restoredConfig['keycloak.enable']);
+            } else {
+                $restoredConfig['keycloak.enable'] = $previousEnable;
+            }
+            $property->setValue($this->configuration, $restoredConfig);
+        }
+    }
+
+    public function testLogoutFallsBackToPersistedJwtIdToken(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+
+        $currentUser = $this->createMock(CurrentUser::class);
+        $currentUser
+            ->expects($this->once())
+            ->method('getUserData')
+            ->with('jwt')
+            ->willReturn('{"id_token":"persisted-id-token","userinfo":{"sub":"123"}}');
+        $currentUser->expects($this->once())->method('deleteFromSession');
+
+        $controller = $this->createController(
+            [
+                new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+            ],
+            $oidcSession,
+            static fn(): CurrentUser => $currentUser,
+        );
+
+        $response = $controller->logout();
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame(
+            'https://sso.example.test/logout?client_id=phpmyfaq&post_logout_redirect_uri=https%3A%2F%2Ffaq.example.test%2F&id_token_hint=persisted-id-token',
+            $response->headers->get('Location'),
+        );
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function testCallbackReturnsErrorResponseWhenProviderErrorIsSet(): void
+    {
+        $controller = $this->createController();
+
+        $response = $controller->callback(new Request(['error_description' => 'Denied by provider']));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+    }
+
+    public function testCallbackStoresUserSessionDataOnSuccessfulLogin(): void
+    {
+        $idToken = $this->signToken([
+            'iss' => 'https://sso.example.test/realms/phpmyfaq',
+            'sub' => '123',
+            'aud' => ['phpmyfaq'],
+            'azp' => 'phpmyfaq',
+            'nonce' => 'nonce-456',
+            'iat' => time(),
+            'exp' => time() + 300,
+        ]);
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $currentUser = $this->createMock(CurrentUser::class);
+        $currentUser->expects($this->once())->method('getUserByLogin')->with('john')->willReturn(true);
+        $currentUser->expects($this->once())->method('getUserData')->with('keycloak_sub')->willReturn('');
+        $currentUser->expects($this->once())->method('setUserData')->with(['keycloak_sub' => '123'])->willReturn(true);
+        $currentUser->expects($this->once())->method('setLoggedIn')->with(true);
+        $currentUser->expects($this->once())->method('setAuthSource')->with('keycloak');
+        $currentUser->expects($this->once())->method('updateSessionId')->with(true);
+        $currentUser->expects($this->once())->method('saveToSession');
+        $currentUser
+            ->expects($this->once())
+            ->method('setTokenData')
+            ->with([
+                'refresh_token' => 'refresh',
+                'access_token' => 'access',
+                'code_verifier' => 'verifier-789',
+                'jwt' => [
+                    'id_token' => $idToken,
+                    'userinfo' => [
+                        'sub' => '123',
+                        'preferred_username' => 'john',
+                        'email' => 'john@example.com',
+                        'name' => 'John Doe',
+                    ],
+                ],
+            ]);
+        $currentUser->expects($this->once())->method('setSuccess')->with(true);
+
+        $authUser = $this->createMock(User::class);
+        $authUser->expects($this->exactly(2))->method('getUserByLogin')->with('john', false)->willReturn(true);
+
+        $controller = $this->createController(
+            [
+                new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                new MockResponse('{"access_token":"access","refresh_token":"refresh","id_token":"' . $idToken . '"}'),
+                new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                new MockResponse(
+                    '{"sub":"123","preferred_username":"john","email":"john@example.com","name":"John Doe"}',
+                ),
+            ],
+            $oidcSession,
+            static fn(): CurrentUser => $currentUser,
+            static fn(): User => $authUser,
+        );
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+        $this->assertSame($idToken, $oidcSession->getIdToken());
+    }
+
+    public function testCallbackResolvesLocalLoginFromStoredKeycloakSubject(): void
+    {
+        $idToken = $this->signToken([
+            'iss' => 'https://sso.example.test/realms/phpmyfaq',
+            'sub' => 'subject-123',
+            'aud' => ['phpmyfaq'],
+            'azp' => 'phpmyfaq',
+            'nonce' => 'nonce-456',
+            'iat' => time(),
+            'exp' => time() + 300,
+        ]);
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $resolverUser = $this->createMock(User::class);
+        $resolverUser->expects($this->once())->method('getUserIdByKeycloakSub')->with('subject-123')->willReturn(55);
+        $resolverUser->expects($this->once())->method('getUserById')->with(55)->willReturn(true);
+        $resolverUser->expects($this->once())->method('getLogin')->willReturn('linked-user');
+        $resolverUser->expects($this->once())->method('getUserByLogin')->with('linked-user', false)->willReturn(true);
+
+        $currentUser = $this->createMock(CurrentUser::class);
+        $currentUser->expects($this->once())->method('getUserByLogin')->with('linked-user')->willReturn(true);
+        $currentUser->expects($this->once())->method('getUserData')->with('keycloak_sub')->willReturn('subject-123');
+        $currentUser->expects($this->once())->method('setLoggedIn')->with(true);
+        $currentUser->expects($this->once())->method('setAuthSource')->with('keycloak');
+        $currentUser->expects($this->once())->method('updateSessionId')->with(true);
+        $currentUser->expects($this->once())->method('saveToSession');
+        $currentUser->expects($this->never())->method('setUserData');
+        $currentUser->expects($this->once())->method('setTokenData');
+        $currentUser->expects($this->once())->method('setSuccess')->with(true);
+
+        $controller = $this->createController(
+            [
+                new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                new MockResponse('{"access_token":"access","refresh_token":"refresh","id_token":"' . $idToken . '"}'),
+                new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                new MockResponse(
+                    '{"sub":"subject-123","preferred_username":"john","email":"john@example.com","name":"John Doe"}',
+                ),
+            ],
+            $oidcSession,
+            static fn(): CurrentUser => $currentUser,
+            static fn(): User => $resolverUser,
+        );
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+    }
+
+    public function testCallbackReturnsFailureWhenStoredKeycloakSubjectDoesNotMatch(): void
+    {
+        $idToken = $this->signToken([
+            'iss' => 'https://sso.example.test/realms/phpmyfaq',
+            'sub' => 'subject-123',
+            'aud' => ['phpmyfaq'],
+            'azp' => 'phpmyfaq',
+            'nonce' => 'nonce-456',
+            'iat' => time(),
+            'exp' => time() + 300,
+        ]);
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $currentUser = $this->createMock(CurrentUser::class);
+        $currentUser->expects($this->once())->method('getUserByLogin')->with('john')->willReturn(true);
+        $currentUser
+            ->expects($this->once())
+            ->method('getUserData')
+            ->with('keycloak_sub')
+            ->willReturn('different-subject');
+        $currentUser->expects($this->never())->method('setUserData');
+        $currentUser->expects($this->never())->method('setLoggedIn');
+        $currentUser->expects($this->never())->method('setAuthSource');
+        $currentUser->expects($this->never())->method('updateSessionId');
+        $currentUser->expects($this->never())->method('saveToSession');
+        $currentUser->expects($this->never())->method('setTokenData');
+        $currentUser->expects($this->never())->method('setSuccess');
+
+        $authUser = $this->createMock(User::class);
+        $authUser->expects($this->exactly(2))->method('getUserByLogin')->with('john', false)->willReturn(true);
+
+        $controller = $this->createController(
+            [
+                new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                new MockResponse('{"access_token":"access","refresh_token":"refresh","id_token":"' . $idToken . '"}'),
+                new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                new MockResponse(
+                    '{"sub":"subject-123","preferred_username":"john","email":"john@example.com","name":"John Doe"}',
+                ),
+            ],
+            $oidcSession,
+            static fn(): CurrentUser => $currentUser,
+            static fn(): User => $authUser,
+        );
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsFailureWhenIdTokenSubjectDoesNotMatchUserInfoSubject(): void
+    {
+        $idToken = $this->signToken([
+            'iss' => 'https://sso.example.test/realms/phpmyfaq',
+            'sub' => 'id-token-subject',
+            'aud' => ['phpmyfaq'],
+            'azp' => 'phpmyfaq',
+            'nonce' => 'nonce-456',
+            'iat' => time(),
+            'exp' => time() + 300,
+        ]);
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+            new MockResponse('{"access_token":"access","refresh_token":"refresh","id_token":"' . $idToken . '"}'),
+            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+            new MockResponse(
+                '{"sub":"userinfo-subject","preferred_username":"john","email":"john@example.com","name":"John Doe"}',
+            ),
+        ], $oidcSession);
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsFailureWhenIdTokenIssuerDoesNotMatch(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+            new MockResponse(
+                '{"access_token":"access","refresh_token":"refresh","id_token":"'
+                . $this->signToken([
+                    'iss' => 'https://issuer.invalid/realms/phpmyfaq',
+                    'aud' => ['phpmyfaq'],
+                    'azp' => 'phpmyfaq',
+                    'nonce' => 'nonce-456',
+                    'exp' => time() + 300,
+                ])
+                . '"}',
+            ),
+            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+        ], $oidcSession);
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsFailureWhenIdTokenAudienceDoesNotMatch(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+            new MockResponse(
+                '{"access_token":"access","refresh_token":"refresh","id_token":"'
+                . $this->signToken([
+                    'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                    'aud' => ['different-client'],
+                    'azp' => 'different-client',
+                    'nonce' => 'nonce-456',
+                    'exp' => time() + 300,
+                ])
+                . '"}',
+            ),
+            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+        ], $oidcSession);
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsFailureWhenIdTokenNonceDoesNotMatch(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+            new MockResponse(
+                '{"access_token":"access","refresh_token":"refresh","id_token":"'
+                . $this->signToken([
+                    'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                    'aud' => ['phpmyfaq'],
+                    'azp' => 'phpmyfaq',
+                    'nonce' => 'unexpected-nonce',
+                    'exp' => time() + 300,
+                ])
+                . '"}',
+            ),
+            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+        ], $oidcSession);
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsFailureWhenIdTokenAuthorizedPartyDoesNotMatch(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+            new MockResponse(
+                '{"access_token":"access","refresh_token":"refresh","id_token":"'
+                . $this->signToken([
+                    'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                    'aud' => ['phpmyfaq', 'account'],
+                    'azp' => 'different-client',
+                    'nonce' => 'nonce-456',
+                    'exp' => time() + 300,
+                ])
+                . '"}',
+            ),
+            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+        ], $oidcSession);
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsFailureWhenIdTokenAuthorizedPartyIsMissingForMultipleAudiences(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('state-123', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([
+            new MockResponse(
+                '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+            ),
+            new MockResponse(
+                '{"access_token":"access","refresh_token":"refresh","id_token":"'
+                . $this->signToken([
+                    'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                    'aud' => ['phpmyfaq', 'account'],
+                    'nonce' => 'nonce-456',
+                    'exp' => time() + 300,
+                ])
+                . '"}',
+            ),
+            new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+        ], $oidcSession);
+
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'state-123',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    public function testCallbackReturnsDefaultRedirectWhenStateDoesNotMatch(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+        $oidcSession = new OidcSession($session);
+        $oidcSession->setAuthorizationState('expected-state', 'nonce-456', 'verifier-789');
+
+        $controller = $this->createController([], $oidcSession);
+        $response = $controller->callback(new Request([
+            'code' => 'test-code',
+            'state' => 'different-state',
+        ]));
+
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame($this->configuration->getDefaultUrl(), $response->headers->get('Location'));
+        $this->assertSame('', $oidcSession->getAuthorizationState()['state']);
+    }
+
+    /**
+     * @param list<MockResponse> $responses
+     */
+    private function createController(
+        array $responses = [],
+        ?OidcSession $oidcSession = null,
+        ?\Closure $currentUserFactory = null,
+        ?\Closure $userFactory = null,
+    ): KeycloakAuthenticationController {
+        $httpClient = new MockHttpClient($responses);
+        $session = new Session(new MockArraySessionStorage());
+        $session->start();
+
+        $controller = new KeycloakAuthenticationController(
+            new KeycloakProviderConfigFactory($this->configuration),
+            new OidcDiscoveryService($httpClient),
+            new OidcPkceGenerator(),
+            $oidcSession ?? new OidcSession($session),
+            new OidcClient($httpClient),
+            new OidcIdTokenValidator($httpClient),
+        );
+
+        $controller->setCurrentUserFactory($currentUserFactory);
+        $controller->setUserFactory($userFactory);
+
+        return $controller;
+    }
+
+    /**
+     * @param array<string, mixed> $claims
+     */
+    private function signToken(array $claims): string
+    {
+        $header = [
+            'alg' => 'RS256',
+            'typ' => 'JWT',
+            'kid' => 'test-key',
+        ];
+
+        $encodedHeader = $this->base64UrlEncode(json_encode($header, JSON_THROW_ON_ERROR));
+        $encodedPayload = $this->base64UrlEncode(json_encode($claims, JSON_THROW_ON_ERROR));
+        $signingInput = $encodedHeader . '.' . $encodedPayload;
+
+        $signature = '';
+        openssl_sign($signingInput, $signature, $this->privateKey, OPENSSL_ALGO_SHA256);
+
+        return $signingInput . '.' . $this->base64UrlEncode($signature);
+    }
+
+    private function base64UrlEncode(string $value): string
+    {
+        return rtrim(strtr(base64_encode($value), '+/', '-_'), '=');
+    }
+}
diff --git a/tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerWebTest.php b/tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerWebTest.php
new file mode 100644
index 0000000000..1c12b11536
--- /dev/null
+++ b/tests/phpMyFAQ/Controller/Frontend/KeycloakAuthenticationControllerWebTest.php
@@ -0,0 +1,285 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Controller\Frontend;
+
+use OpenSSLAsymmetricKey;
+use phpMyFAQ\Auth\Oidc\OidcClient;
+use phpMyFAQ\Auth\Oidc\OidcDiscoveryService;
+use phpMyFAQ\Auth\Oidc\OidcIdTokenValidator;
+use phpMyFAQ\Functional\ControllerWebTestCase;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
+use PHPUnit\Framework\Attributes\UsesNamespace;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+use Symfony\Component\HttpFoundation\Response;
+
+#[CoversClass(KeycloakAuthenticationController::class)]
+#[UsesNamespace('phpMyFAQ')]
+#[UsesClass(AbstractFrontController::class)]
+final class KeycloakAuthenticationControllerWebTest extends ControllerWebTestCase
+{
+    private OpenSSLAsymmetricKey $privateKey;
+
+    /** @var array<string, mixed> */
+    private array $jwk;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        set_error_handler(static fn(): bool => true);
+        try {
+            $privateKey = openssl_pkey_new([
+                'private_key_type' => OPENSSL_KEYTYPE_RSA,
+                'private_key_bits' => 2048,
+            ]);
+        } finally {
+            restore_error_handler();
+        }
+
+        self::assertInstanceOf(OpenSSLAsymmetricKey::class, $privateKey);
+        $details = openssl_pkey_get_details($privateKey);
+        self::assertIsArray($details);
+        self::assertIsArray($details['rsa'] ?? null);
+
+        $this->privateKey = $privateKey;
+        $this->jwk = [
+            'kty' => 'RSA',
+            'kid' => 'test-key',
+            'alg' => 'RS256',
+            'use' => 'sig',
+            'n' => $this->base64UrlEncode($details['rsa']['n']),
+            'e' => $this->base64UrlEncode($details['rsa']['e']),
+        ];
+    }
+
+    public function testCallbackCompletesSuccessfulLoginFlowWithMockedProviderResponses(): void
+    {
+        $configuration = $this->getConfiguration();
+        $this->overrideConfigurationValues([
+            'keycloak.enable' => true,
+            'keycloak.baseUrl' => 'https://sso.example.test',
+            'keycloak.realm' => 'phpmyfaq',
+            'keycloak.clientId' => 'phpmyfaq',
+            'keycloak.clientSecret' => 'secret',
+            'keycloak.redirectUri' => 'https://localhost/auth/keycloak/callback',
+            'keycloak.scopes' => 'openid profile email',
+            'keycloak.autoProvision' => false,
+        ]);
+
+        $container = self::$kernel?->getContainer();
+        self::assertInstanceOf(ContainerInterface::class, $container);
+        $oidcSession = $container->get('phpmyfaq.auth.oidc.session');
+        self::assertInstanceOf(\phpMyFAQ\Auth\Oidc\OidcSession::class, $oidcSession);
+
+        $idToken = $this->signToken([
+            'iss' => 'https://sso.example.test/realms/phpmyfaq',
+            'sub' => 'subject-123',
+            'aud' => 'phpmyfaq',
+            'azp' => 'phpmyfaq',
+            'iat' => time(),
+            'exp' => time() + 300,
+        ]);
+        $expectedNonce = '';
+        $expectedVerifier = '';
+
+        $responseIndex = 0;
+        $httpClient = new MockHttpClient(function (string $method, string $url, array $options) use (
+            &$responseIndex,
+            &$idToken,
+            &$expectedNonce,
+            &$expectedVerifier,
+        ): MockResponse {
+            $responseIndex++;
+
+            $expectedMethod = match ($responseIndex) {
+                3 => 'POST',
+                default => 'GET',
+            };
+            self::assertSame($expectedMethod, $method, sprintf('Unexpected HTTP method for call #%d', $responseIndex));
+
+            return match ($responseIndex) {
+                1, 2 => new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                3 => (function () use ($options, &$idToken, &$expectedNonce, &$expectedVerifier): MockResponse {
+                    parse_str((string) ($options['body'] ?? ''), $body);
+                    self::assertSame($expectedVerifier, $body['code_verifier'] ?? '');
+                    self::assertSame('auth-code', $body['code'] ?? '');
+
+                    $idToken = $this->signToken([
+                        'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                        'sub' => 'subject-123',
+                        'aud' => 'phpmyfaq',
+                        'azp' => 'phpmyfaq',
+                        'nonce' => $expectedNonce,
+                        'iat' => time(),
+                        'exp' => time() + 300,
+                    ]);
+
+                    return new MockResponse(
+                        '{"access_token":"access-token","refresh_token":"refresh-token","id_token":"' . $idToken . '"}',
+                    );
+                })(),
+                4 => new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                5 => new MockResponse(
+                    '{"sub":"subject-123","preferred_username":"admin","email":"admin@example.com","name":"Admin User"}',
+                ),
+                default => throw new \RuntimeException('Unexpected HTTP call in callback test: ' . $url),
+            };
+        });
+
+        $container->set('phpmyfaq.http-client', $httpClient);
+        $container->set('phpmyfaq.auth.oidc.client', new OidcClient($httpClient));
+        $container->set('phpmyfaq.auth.oidc.discovery-service', new OidcDiscoveryService($httpClient));
+        $container->set('phpmyfaq.auth.oidc.id-token-validator', new OidcIdTokenValidator($httpClient));
+
+        $authorizeResponse = $this->requestPublic('GET', '/auth/keycloak/authorize');
+        self::assertResponseStatusCodeSame(Response::HTTP_FOUND, $authorizeResponse);
+
+        parse_str(
+            (string) parse_url((string) $authorizeResponse->headers->get('Location'), PHP_URL_QUERY),
+            $authorizeQuery,
+        );
+        $authorizationState = $oidcSession->getAuthorizationState();
+        $expectedNonce = $authorizationState['nonce'];
+        $expectedVerifier = $authorizationState['verifier'];
+
+        $response = $this->requestPublic('GET', '/auth/keycloak/callback', [
+            'code' => 'auth-code',
+            'state' => (string) ($authorizeQuery['state'] ?? ''),
+        ]);
+
+        self::assertResponseStatusCodeSame(302, $response);
+        self::assertSame($configuration->getDefaultUrl(), $response->headers->get('Location'));
+        self::assertNotSame('', $idToken);
+    }
+
+    public function testLogoutBuildsProviderRedirectWithSessionIdToken(): void
+    {
+        $configuration = $this->getConfiguration();
+        $this->overrideConfigurationValues([
+            'keycloak.enable' => true,
+            'keycloak.baseUrl' => 'https://sso.example.test',
+            'keycloak.realm' => 'phpmyfaq',
+            'keycloak.clientId' => 'phpmyfaq',
+            'keycloak.clientSecret' => 'secret',
+            'keycloak.redirectUri' => 'https://localhost/auth/keycloak/callback',
+            'keycloak.logoutRedirectUrl' => 'https://localhost/',
+        ]);
+
+        $container = self::$kernel?->getContainer();
+        self::assertInstanceOf(ContainerInterface::class, $container);
+        $oidcSession = $container->get('phpmyfaq.auth.oidc.session');
+        self::assertInstanceOf(\phpMyFAQ\Auth\Oidc\OidcSession::class, $oidcSession);
+        $expectedNonce = '';
+        $expectedVerifier = '';
+
+        $responseIndex = 0;
+        $httpClient = new MockHttpClient(function (string $method, string $url, array $options) use (
+            &$responseIndex,
+            &$expectedNonce,
+            &$expectedVerifier,
+        ): MockResponse {
+            $responseIndex++;
+
+            $expectedMethod = match ($responseIndex) {
+                3 => 'POST',
+                default => 'GET',
+            };
+            self::assertSame($expectedMethod, $method, sprintf('Unexpected HTTP method for call #%d', $responseIndex));
+
+            return match ($responseIndex) {
+                1, 2, 6 => new MockResponse(
+                    '{"issuer":"https://sso.example.test/realms/phpmyfaq","authorization_endpoint":"https://sso.example.test/auth","token_endpoint":"https://sso.example.test/token","userinfo_endpoint":"https://sso.example.test/userinfo","jwks_uri":"https://sso.example.test/jwks","end_session_endpoint":"https://sso.example.test/logout"}',
+                ),
+                3 => (function () use ($options, &$expectedNonce, &$expectedVerifier): MockResponse {
+                    parse_str((string) ($options['body'] ?? ''), $body);
+                    self::assertSame($expectedVerifier, $body['code_verifier'] ?? '');
+
+                    $idToken = $this->signToken([
+                        'iss' => 'https://sso.example.test/realms/phpmyfaq',
+                        'sub' => 'subject-123',
+                        'aud' => 'phpmyfaq',
+                        'azp' => 'phpmyfaq',
+                        'nonce' => $expectedNonce,
+                        'iat' => time(),
+                        'exp' => time() + 300,
+                    ]);
+
+                    return new MockResponse(
+                        '{"access_token":"access-token","refresh_token":"refresh-token","id_token":"' . $idToken . '"}',
+                    );
+                })(),
+                4 => new MockResponse(json_encode(['keys' => [$this->jwk]], JSON_THROW_ON_ERROR)),
+                5 => new MockResponse(
+                    '{"sub":"subject-123","preferred_username":"admin","email":"admin@example.com","name":"Admin User"}',
+                ),
+                default => throw new \RuntimeException('Unexpected HTTP call in logout test: ' . $url),
+            };
+        });
+
+        $container->set('phpmyfaq.http-client', $httpClient);
+        $container->set('phpmyfaq.auth.oidc.client', new OidcClient($httpClient));
+        $container->set('phpmyfaq.auth.oidc.discovery-service', new OidcDiscoveryService($httpClient));
+        $container->set('phpmyfaq.auth.oidc.id-token-validator', new OidcIdTokenValidator($httpClient));
+
+        $authorizeResponse = $this->requestPublic('GET', '/auth/keycloak/authorize');
+        self::assertResponseStatusCodeSame(Response::HTTP_FOUND, $authorizeResponse);
+        parse_str(
+            (string) parse_url((string) $authorizeResponse->headers->get('Location'), PHP_URL_QUERY),
+            $authorizeQuery,
+        );
+        $authorizationState = $oidcSession->getAuthorizationState();
+        $expectedNonce = $authorizationState['nonce'];
+        $expectedVerifier = $authorizationState['verifier'];
+
+        $callbackResponse = $this->requestPublic('GET', '/auth/keycloak/callback', [
+            'code' => 'auth-code',
+            'state' => (string) ($authorizeQuery['state'] ?? ''),
+        ]);
+        self::assertResponseStatusCodeSame(Response::HTTP_FOUND, $callbackResponse);
+
+        $response = $this->requestPublic('GET', '/auth/keycloak/logout');
+
+        self::assertResponseStatusCodeSame(302, $response);
+        self::assertStringStartsWith('https://sso.example.test/logout?', (string) $response->headers->get('Location'));
+        self::assertStringContainsString('client_id=phpmyfaq', (string) $response->headers->get('Location'));
+        self::assertStringContainsString(
+            'post_logout_redirect_uri=https%3A%2F%2Flocalhost%2F',
+            (string) $response->headers->get('Location'),
+        );
+        self::assertStringContainsString('id_token_hint=', (string) $response->headers->get('Location'));
+        self::assertNotSame($configuration->getDefaultUrl(), $response->headers->get('Location'));
+    }
+
+    /**
+     * @param array<string, mixed> $claims
+     */
+    private function signToken(array $claims): string
+    {
+        $header = [
+            'alg' => 'RS256',
+            'typ' => 'JWT',
+            'kid' => 'test-key',
+        ];
+
+        $encodedHeader = $this->base64UrlEncode(json_encode($header, JSON_THROW_ON_ERROR));
+        $encodedPayload = $this->base64UrlEncode(json_encode($claims, JSON_THROW_ON_ERROR));
+        $signingInput = $encodedHeader . '.' . $encodedPayload;
+
+        $signature = '';
+        openssl_sign($signingInput, $signature, $this->privateKey, OPENSSL_ALGO_SHA256);
+
+        return $signingInput . '.' . $this->base64UrlEncode($signature);
+    }
+
+    private function base64UrlEncode(string $value): string
+    {
+        return rtrim(strtr(base64_encode($value), '+/', '-_'), '=');
+    }
+}
diff --git a/tests/phpMyFAQ/Functional/ControllerWebTestCase.php b/tests/phpMyFAQ/Functional/ControllerWebTestCase.php
index a57f499efa..e7f93e10e4 100644
--- a/tests/phpMyFAQ/Functional/ControllerWebTestCase.php
+++ b/tests/phpMyFAQ/Functional/ControllerWebTestCase.php
@@ -17,6 +17,9 @@ abstract class ControllerWebTestCase extends WebTestCase
     /** @var array<string, array{configuration: Configuration, values: array<string, mixed>}> */
     private array $originalConfigurations = [];
 
+    /** @var array<string, list<string>> */
+    private array $addedConfigurationKeys = [];
+
     protected function requestPublic(string $method, string $uri, array $parameters = [], array $server = []): Response
     {
         return $this->requestWithContext('public', $method, $uri, $parameters, $server);
@@ -88,7 +91,37 @@ protected function overrideConfigurationValues(array $values, string $context =
             ];
         }
 
-        $configProperty->setValue($configuration, array_merge($currentConfig, $values));
+        $this->addedConfigurationKeys[$context] ??= [];
+        $normalizedValues = [];
+        foreach ($values as $name => $value) {
+            $key = (string) $name;
+            $storedValue = $this->normalizeConfigurationValue($value);
+            $normalizedValues[$key] = $storedValue;
+            $existingValue = $configuration->get($key);
+            if ($existingValue === null) {
+                $configuration->add($key, $storedValue);
+                $this->addedConfigurationKeys[$context][] = $key;
+            } else {
+                $configuration->update([$key => $storedValue]);
+            }
+        }
+
+        $latestConfig = $configProperty->getValue($configuration);
+        self::assertIsArray($latestConfig);
+        $configProperty->setValue($configuration, array_merge($latestConfig, $normalizedValues));
+    }
+
+    private function normalizeConfigurationValue(mixed $value): string
+    {
+        if (is_bool($value)) {
+            return $value ? 'true' : 'false';
+        }
+
+        if (is_array($value)) {
+            return json_encode($value, JSON_THROW_ON_ERROR);
+        }
+
+        return (string) $value;
     }
 
     protected function getConfiguration(string $context = 'public'): Configuration
@@ -198,6 +231,8 @@ private function ensureClientForContext(string $context): HttpKernelBrowser
             $configuration = $container->get('phpmyfaq.configuration');
             self::assertInstanceOf(Configuration::class, $configuration);
 
+            $configuration->update(['main.referenceURL' => 'https://localhost/']);
+
             $reflection = new ReflectionClass(Configuration::class);
             $configProperty = $reflection->getProperty('config');
             $currentConfig = $configProperty->getValue($configuration);
@@ -212,14 +247,33 @@ private function ensureClientForContext(string $context): HttpKernelBrowser
 
     protected function tearDown(): void
     {
-        foreach ($this->originalConfigurations as $configurationSnapshot) {
+        foreach ($this->originalConfigurations as $context => $configurationSnapshot) {
             $configuration = $configurationSnapshot['configuration'];
+            $originalValues = $configurationSnapshot['values'];
             $reflection = new ReflectionClass(Configuration::class);
             $configProperty = $reflection->getProperty('config');
-            $configProperty->setValue($configuration, $configurationSnapshot['values']);
+
+            $addedKeys = $this->addedConfigurationKeys[$context] ?? [];
+            foreach ($addedKeys as $addedKey) {
+                $configuration->delete($addedKey);
+            }
+
+            $restore = [];
+            foreach ($originalValues as $name => $value) {
+                if (in_array($name, $addedKeys, true)) {
+                    continue;
+                }
+                $restore[$name] = $value;
+            }
+            if ($restore !== []) {
+                $configuration->update($restore);
+            }
+
+            $configProperty->setValue($configuration, $originalValues);
         }
 
         $this->originalConfigurations = [];
+        $this->addedConfigurationKeys = [];
         self::$activeContext = null;
         parent::tearDown();
     }
diff --git a/tests/phpMyFAQ/Permission/MediumPermissionRepositoryTest.php b/tests/phpMyFAQ/Permission/MediumPermissionRepositoryTest.php
index 3b1bb21502..5496682480 100644
--- a/tests/phpMyFAQ/Permission/MediumPermissionRepositoryTest.php
+++ b/tests/phpMyFAQ/Permission/MediumPermissionRepositoryTest.php
@@ -220,6 +220,13 @@ public function testRemoveFromAllGroups(): void
         $this->assertFalse($this->repository->removeFromAllGroups(-1));
     }
 
+    public function testRemoveFromGroup(): void
+    {
+        $this->assertFalse($this->repository->removeFromGroup(0, 1));
+        $this->assertFalse($this->repository->removeFromGroup(1, 0));
+        $this->assertFalse($this->repository->removeFromGroup(-1, -1));
+    }
+
     public function testRefuseAllGroupRights(): void
     {
         // Test with invalid group ID
diff --git a/tests/phpMyFAQ/Permission/MediumPermissionTest.php b/tests/phpMyFAQ/Permission/MediumPermissionTest.php
index 31c4397423..03aa572ea1 100644
--- a/tests/phpMyFAQ/Permission/MediumPermissionTest.php
+++ b/tests/phpMyFAQ/Permission/MediumPermissionTest.php
@@ -432,6 +432,24 @@ public function testRemoveFromAllGroups(): void
         $this->mediumPermission->deleteGroup(1);
     }
 
+    public function testRemoveFromGroup(): void
+    {
+        $this->assertFalse($this->mediumPermission->removeFromGroup(0, 0));
+
+        $groupData = [
+            'name' => 'TestGroup',
+            'description' => 'TestDescription',
+            'auto_join' => true,
+        ];
+        $this->mediumPermission->addGroup($groupData);
+        $this->mediumPermission->addToGroup(1, 1);
+
+        $this->assertTrue($this->mediumPermission->removeFromGroup(1, 1));
+
+        // Cleanup
+        $this->mediumPermission->deleteGroup(1);
+    }
+
     public function testRefuseAllGroupRights(): void
     {
         $this->assertFalse($this->mediumPermission->refuseAllGroupRights(0));
diff --git a/tests/phpMyFAQ/TranslationTest.php b/tests/phpMyFAQ/TranslationTest.php
index ae21154f30..fa77147276 100644
--- a/tests/phpMyFAQ/TranslationTest.php
+++ b/tests/phpMyFAQ/TranslationTest.php
@@ -39,6 +39,18 @@ class TranslationTest extends TestCase
             . "\$LANG_CONF['oauth2.accessTokenTTL'] = ['input', 'Access token TTL', 'ISO 8601 duration, e.g. PT1H'];\n"
             . "\$LANG_CONF['oauth2.refreshTokenTTL'] = ['input', 'Refresh token TTL', 'ISO 8601 duration, e.g. P1M'];\n"
             . "\$LANG_CONF['oauth2.authCodeTTL'] = ['input', 'Authorization code TTL', 'ISO 8601 duration, e.g. PT10M'];\n\n"
+            . "\$LANG_CONF['keycloak.enable'] = ['checkbox', 'Enable Keycloak sign-in'];\n"
+            . "\$LANG_CONF['keycloak.baseUrl'] = ['input', 'Keycloak base URL'];\n"
+            . "\$LANG_CONF['keycloak.realm'] = ['input', 'Realm'];\n"
+            . "\$LANG_CONF['keycloak.clientId'] = ['input', 'Client ID'];\n"
+            . "\$LANG_CONF['keycloak.clientSecret'] = ['password', 'Client secret'];\n"
+            . "\$LANG_CONF['keycloak.redirectUri'] = ['input', 'Redirect URI'];\n"
+            . "\$LANG_CONF['keycloak.scopes'] = ['input', 'Scopes'];\n"
+            . "\$LANG_CONF['keycloak.autoProvision'] = ['checkbox', 'Auto provision'];\n"
+            . "\$LANG_CONF['keycloak.groupAutoAssign'] = ['checkbox', 'Auto assign groups'];\n"
+            . "\$LANG_CONF['keycloak.groupSyncOnLogin'] = ['checkbox', 'Synchronize groups on login'];\n"
+            . "\$LANG_CONF['keycloak.groupMapping'] = ['input', 'Role to group mapping'];\n"
+            . "\$LANG_CONF['keycloak.logoutRedirectUrl'] = ['input', 'Logout redirect URL'];\n\n"
             . "return [\n"
             . "    'test.key' => 'Default Label',\n"
             . "];\n",
@@ -57,6 +69,18 @@ class TranslationTest extends TestCase
             . "\$LANG_CONF['oauth2.accessTokenTTL'] = ['input', 'Access-Token-TTL', 'ISO-8601-Dauer, z.B. PT1H'];\n"
             . "\$LANG_CONF['oauth2.refreshTokenTTL'] = ['input', 'Refresh-Token-TTL', 'ISO-8601-Dauer, z.B. P1M'];\n"
             . "\$LANG_CONF['oauth2.authCodeTTL'] = ['input', 'Autorisierungscode-TTL', 'ISO-8601-Dauer, z.B. PT10M'];\n\n"
+            . "\$LANG_CONF['keycloak.enable'] = ['checkbox', 'Keycloak-Anmeldung aktivieren'];\n"
+            . "\$LANG_CONF['keycloak.baseUrl'] = ['input', 'Keycloak-Basis-URL'];\n"
+            . "\$LANG_CONF['keycloak.realm'] = ['input', 'Realm'];\n"
+            . "\$LANG_CONF['keycloak.clientId'] = ['input', 'Client-ID'];\n"
+            . "\$LANG_CONF['keycloak.clientSecret'] = ['password', 'Client-Secret'];\n"
+            . "\$LANG_CONF['keycloak.redirectUri'] = ['input', 'Redirect-URI'];\n"
+            . "\$LANG_CONF['keycloak.scopes'] = ['input', 'Scopes'];\n"
+            . "\$LANG_CONF['keycloak.autoProvision'] = ['checkbox', 'Automatisch anlegen'];\n"
+            . "\$LANG_CONF['keycloak.groupAutoAssign'] = ['checkbox', 'Gruppen automatisch zuweisen'];\n"
+            . "\$LANG_CONF['keycloak.groupSyncOnLogin'] = ['checkbox', 'Gruppen beim Login synchronisieren'];\n"
+            . "\$LANG_CONF['keycloak.groupMapping'] = ['input', 'Rollen-zu-Gruppen-Zuordnung'];\n"
+            . "\$LANG_CONF['keycloak.logoutRedirectUrl'] = ['input', 'Logout-Redirect-URL'];\n\n"
             . "return [\n"
             . "    'test.key' => '',\n"
             . "    'test.zero' => '0',\n"
@@ -186,6 +210,22 @@ public function testGetConfigurationItemsReturnsOAuth2Section(): void
         $this->assertArrayHasKey('oauth2.authCodeTTL', $configurationItems);
     }
 
+    public function testGetConfigurationItemsReturnsKeycloakSection(): void
+    {
+        $configurationItems = Translation::getConfigurationItems('keycloak.');
+
+        $this->assertCount(12, $configurationItems);
+        $this->assertArrayHasKey('keycloak.enable', $configurationItems);
+        $this->assertSame('checkbox', $configurationItems['keycloak.enable']['element']);
+        $this->assertArrayHasKey('keycloak.clientSecret', $configurationItems);
+        $this->assertSame('password', $configurationItems['keycloak.clientSecret']['element']);
+        $this->assertArrayHasKey('keycloak.autoProvision', $configurationItems);
+        $this->assertArrayHasKey('keycloak.groupAutoAssign', $configurationItems);
+        $this->assertArrayHasKey('keycloak.groupSyncOnLogin', $configurationItems);
+        $this->assertArrayHasKey('keycloak.groupMapping', $configurationItems);
+        $this->assertArrayHasKey('keycloak.logoutRedirectUrl', $configurationItems);
+    }
+
     /**
      * @throws Exception
      */
diff --git a/tests/phpMyFAQ/User/UserDataTest.php b/tests/phpMyFAQ/User/UserDataTest.php
index 772a51efb4..8aab4920f2 100644
--- a/tests/phpMyFAQ/User/UserDataTest.php
+++ b/tests/phpMyFAQ/User/UserDataTest.php
@@ -71,7 +71,7 @@ public function testFetchAll(): void
         $this->database->method('fetchArray')->willReturn(['user_id' => 1]);
 
         $result = $this->userData->fetchAll('key', 'value');
-        $this->assertEquals(['user_id' => 1], $result);
+        $this->assertEquals(['user_id' => 1, 'keycloak_sub' => ''], $result);
     }
 
     public function testFetchAllReturnsDefaultArrayWhenNoResultExists(): void
@@ -112,6 +112,24 @@ public function testSave(): void
         $this->assertTrue($result);
     }
 
+    public function testSaveDoesNotRunFallbackUpdateWhenKeycloakSubIsPresent(): void
+    {
+        $queryResults = [true, false];
+        $this->database
+            ->method('query')
+            ->willReturnCallback(static function () use (&$queryResults): bool {
+                return array_shift($queryResults) ?? true;
+            });
+        $this->database->method('numRows')->willReturn(1);
+        $this->database->method('fetchArray')->willReturn(['display_name' => 'Old']);
+        $this->database->method('escape')->willReturnArgument(0);
+
+        $this->userData->load(1);
+
+        $this->assertFalse($this->userData->set(['display_name', 'keycloak_sub'], ['Admin', 'subject-123']));
+        $this->assertSame([], $queryResults);
+    }
+
     public function testSetReturnsFalseWhenFieldAndValueCountsDoNotMatch(): void
     {
         $this->assertFalse($this->userData->set(['display_name', 'email'], ['value']));
diff --git a/tests/phpMyFAQ/UserTest.php b/tests/phpMyFAQ/UserTest.php
index c0188a53b3..310553ae76 100644
--- a/tests/phpMyFAQ/UserTest.php
+++ b/tests/phpMyFAQ/UserTest.php
@@ -583,14 +583,19 @@ public function testGetUserDataSetUserDataAndEmailHelpersDelegateToUserData(): v
         $this->userData->expects($this->once())->method('load')->with(11);
         $this->userData->expects($this->once())->method('set')->with(['display_name'], ['Thorsten'])->willReturn(true);
         $this->userData
-            ->expects($this->exactly(2))
+            ->expects($this->exactly(3))
             ->method('fetchAll')
-            ->willReturnOnConsecutiveCalls(['user_id' => 11, 'is_visible' => true], ['user_id' => 12]);
+            ->willReturnOnConsecutiveCalls(
+                ['user_id' => 11, 'is_visible' => true],
+                ['user_id' => 12],
+                ['user_id' => 13],
+            );
 
         $this->assertSame('Thorsten', $this->user->getUserData('display_name'));
         $this->assertTrue($this->user->setUserData(['display_name' => 'Thorsten']));
         $this->assertSame(11, $this->user->getUserIdByEmail('thorsten@example.com'));
         $this->assertTrue($this->user->getUserVisibilityByEmail('anonymous@example.com'));
+        $this->assertSame(13, $this->user->getUserIdByKeycloakSub('keycloak-sub-123'));
     }
 
     public function testGetUserDataCreatesUserDataWhenUnset(): void
diff --git a/vite.config.ts b/vite.config.ts
index 1afaaa6afb..4306f1ec25 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -78,6 +78,7 @@ export default defineConfig({
         '**/node_modules/**',
         '**/html-coverage/**',
         '**/libs/**',
+        '**/site/**',
         '**/bootstrap*.min.js',
         '**/popper*.min.js',
         '**/babel.config.cjs',
@@ -87,6 +88,6 @@ export default defineConfig({
     },
     globals: true,
     include: ['**/phpmyfaq/assets/**/*.test.ts', '**/phpmyfaq/admin/assets/**/*.test.ts'],
-    exclude: ['**/node_modules/**', '.claude/**'],
+    exclude: ['**/node_modules/**', '.claude/**', 'site/**'],
   },
 });