diff --git a/.env.example b/.env.example
index 8002554..50a9283 100644
--- a/.env.example
+++ b/.env.example
@@ -37,4 +37,9 @@ LDAP_URL=""
 LDAP_BIND_USER=""
 LDAP_BIND_PASSWORT=""
 LDAP_SEARCH_BASE=""
-LDAP_ADMIN_GROUP=""
\ No newline at end of file
+LDAP_ADMIN_GROUP=""
+
+# Keycloak
+KEYCLOAK_ISSUER=""
+KEYCLOAK_CLIENT_ID=""
+KEYCLOAK_CLIENT_SECRET=""
\ No newline at end of file
diff --git a/prisma/migrations/20260309225029_add_refresh_expires_in_for_keycloak/migration.sql b/prisma/migrations/20260309225029_add_refresh_expires_in_for_keycloak/migration.sql
new file mode 100644
index 0000000..7b118b9
--- /dev/null
+++ b/prisma/migrations/20260309225029_add_refresh_expires_in_for_keycloak/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Account" ADD COLUMN "refresh_expires_in" INTEGER;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index b5443f4..7b1ced8 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -151,19 +151,20 @@ model Transaction {
 // -----------------------------------------------------------------------------
 // Necessary for Next auth
 model Account {
-    id                String  @id @default(cuid())
-    userId            String
-    type              String
-    provider          String
-    providerAccountId String
-    refresh_token     String? // @db.Text
-    access_token      String? // @db.Text
-    expires_at        Int?
-    token_type        String?
-    scope             String?
-    id_token          String? // @db.Text
-    session_state     String?
-    user              User    @relation(fields: [userId], references: [id], onDelete: Cascade)
+    id                 String  @id @default(cuid())
+    userId             String
+    type               String
+    provider           String
+    providerAccountId  String
+    refresh_token      String? // @db.Text
+    refresh_expires_in Int?
+    access_token       String? // @db.Text
+    expires_at         Int?
+    token_type         String?
+    scope              String?
+    id_token           String? // @db.Text
+    session_state      String?
+    user               User    @relation(fields: [userId], references: [id], onDelete: Cascade)
 
     @@unique([provider, providerAccountId])
 }
diff --git a/src/env.mjs b/src/env.mjs
index 295c340..6c7986a 100644
--- a/src/env.mjs
+++ b/src/env.mjs
@@ -14,16 +14,20 @@ const server = z.object({
     // Since NextAuth.js automatically uses the VERCEL_URL if present.
     (str) => process.env.VERCEL_URL ?? str,
     // VERCEL_URL doesn't include `https` so it cant be validated as a URL
-    process.env.VERCEL ? z.string().min(1) : z.string().url()
+    process.env.VERCEL ? z.string().min(1) : z.string().url(),
   ),
 
   DISABLE_PROCUREMENT_ACCOUNT_BACKING_CHECK: z.string().default("false"),
 
-  LDAP_URL: z.string(),
-  LDAP_BIND_USER: z.string(),
-  LDAP_BIND_PASSWORT: z.string(),
-  LDAP_SEARCH_BASE: z.string(),
-  LDAP_ADMIN_GROUP: z.string(),
+  LDAP_URL: z.string().optional(),
+  LDAP_BIND_USER: z.string().optional(),
+  LDAP_BIND_PASSWORT: z.string().optional(),
+  LDAP_SEARCH_BASE: z.string().optional(),
+  LDAP_ADMIN_GROUP: z.string().optional(),
+
+  KEYCLOAK_ISSUER: z.string().url().optional(),
+  KEYCLOAK_CLIENT_ID: z.string().optional(),
+  KEYCLOAK_CLIENT_SECRET: z.string().optional(),
 
   // Add `.min(1) on ID and SECRET if you want to make sure they're not empty
   EMAIL_SERVER_USER: z.string().optional(),
@@ -48,7 +52,7 @@ const client = z.object({
  *
  * @type {Record<keyof z.infer<typeof server> | keyof z.infer<typeof client>, string | undefined>}
  */
-// const envProvider = process.env 
+// const envProvider = process.env
 const processEnv = {
   DATABASE_URL: process.env.DATABASE_URL,
   NODE_ENV: process.env.NODE_ENV,
@@ -56,9 +60,12 @@ const processEnv = {
   NEXTAUTH_URL: process.env.NEXTAUTH_URL,
   LDAP_URL: process.env.LDAP_URL,
   LDAP_BIND_USER: process.env.LDAP_BIND_USER,
-  LDAP_BIND_PASSWORT:process.env.LDAP_BIND_PASSWORT,
-  LDAP_SEARCH_BASE:process.env.LDAP_SEARCH_BASE,
-  LDAP_ADMIN_GROUP:process.env.LDAP_ADMIN_GROUP,
+  LDAP_BIND_PASSWORT: process.env.LDAP_BIND_PASSWORT,
+  LDAP_SEARCH_BASE: process.env.LDAP_SEARCH_BASE,
+  LDAP_ADMIN_GROUP: process.env.LDAP_ADMIN_GROUP,
+  KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER,
+  KEYCLOAK_CLIENT_ID: process.env.KEYCLOAK_CLIENT_ID,
+  KEYCLOAK_CLIENT_SECRET: process.env.KEYCLOAK_CLIENT_SECRET,
   DISABLE_PROCUREMENT_ACCOUNT_BACKING_CHECK: process.env.DISABLE_PROCUREMENT_ACCOUNT_BACKING_CHECK,
   EMAIL_SERVER_USER: process.env.EMAIL_SERVER_USER,
   EMAIL_SERVER_PASSWORD: process.env.EMAIL_SERVER_PASSWORD,
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index ad0ebd9..e388629 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -1,11 +1,10 @@
 import { CheckCircle, Github, Info, XCircle } from "lucide-react"
 import { type GetServerSidePropsContext, type InferGetServerSidePropsType, type NextPage } from "next"
-import { getProviders, signIn } from "next-auth/react"
+import { signIn } from "next-auth/react"
 import { useRouter } from "next/router"
 import { useEffect, useState } from "react"
 import { useForm, type SubmitHandler } from "react-hook-form"
 import CenteredPage from "~/components/Layout/CenteredPage"
-import { getServerAuthSession } from "~/server/auth"
 
 // NextAuth error messages (https://next-auth.js.org/configuration/pages)
 // get thrown as query parameters in the URL
@@ -31,13 +30,15 @@ type FormData = {
 
 type HomeProps = InferGetServerSidePropsType<typeof getServerSideProps> & {
   isProduction: boolean
+  keycloakEnabled: boolean
+  ldapEnabled: boolean
 }
 
-const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
+const Home: NextPage<HomeProps> = ({ isProduction, keycloakEnabled, ldapEnabled }) => {
   const { register, handleSubmit, formState: { errors, isSubmitting } } = useForm<FormData>()
   const [error, setError] = useState<string | null>(null)
   const [success, setSuccess] = useState<string | null>(null)
-  const [activeTab, setActiveTab] = useState<"credentials" | "email">("credentials")
+  const [activeTab, setActiveTab] = useState<"credentials" | "email" | "keycloak">(keycloakEnabled ? "keycloak" : "credentials")
   const router = useRouter()  // Handle NextAuth errors from query parameters
   const authError = router.query.error
   const queryErrorMessage =
@@ -50,7 +51,8 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
   useEffect(() => {
     if (authError && typeof authError === "string") {
       // Clear the error from URL to prevent it from persisting
-      const { error: _, ...restQuery } = router.query
+      const restQuery = { ...router.query }
+      delete restQuery.error
       void router.replace({ pathname: router.pathname, query: restQuery }, undefined, { shallow: true })
     }
   }, [authError, router])
@@ -66,7 +68,7 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
         redirect: false,
       })
 
-      if(result?.ok) {
+      if (result?.ok) {
         void router.push("/buy")
       }
       else if (result?.error) {
@@ -97,7 +99,7 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
       } else if (result?.ok) {
         setSuccess("Ein Magic Link wurde in der Serverkonsole generiert.")
       }
-    } catch (err) {
+    } catch {
       setError(nextAuthErrorMessages.default)
     }
   }
@@ -120,22 +122,32 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
           <div className="card bg-base-200 shadow-xl">
             <div className="card-body">
               {/* Tab Navigation (only show if both methods are available) */}
-              {isDevelopment && (
-                <div className="tabs tabs-boxed mb-6">
+              <div className="tabs tabs-boxed mb-6">
+                {keycloakEnabled && (
+                  <button
+                    className={`tab tab-lg flex-1 ${activeTab === "keycloak" ? "tab-active" : ""}`}
+                    onClick={() => setActiveTab("keycloak")}
+                  >
+                    ASL Account
+                  </button>
+                )}
+                {ldapEnabled && (
                   <button
                     className={`tab tab-lg flex-1 ${activeTab === "credentials" ? "tab-active" : ""}`}
                     onClick={() => setActiveTab("credentials")}
                   >
-                    ASL Account
+                    Credentials
                   </button>
+                )}
+                {isDevelopment && (
                   <button
                     className={`tab tab-lg flex-1 ${activeTab === "email" ? "tab-active" : ""}`}
                     onClick={() => setActiveTab("email")}
                   >
                     Server Konsole
                   </button>
-                </div>
-              )}
+                )}
+              </div>
 
               {/* Error/Success Messages */}
               {visibleError && (
@@ -152,7 +164,7 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
               )}
 
               {/* LDAP/Credentials Login Form */}
-              {(activeTab === "credentials" || isProduction) && (
+              {activeTab === "credentials" && (
                 <form onSubmit={handleSubmit(onCredentialsSubmit)} className="space-y-4">
                   <div className="form-control">
                     <label className="label">
@@ -205,7 +217,7 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
               )}
 
               {/* Magic Link Login Form (Development only) */}
-              {isDevelopment && activeTab === "email" && (
+              {activeTab === "email" && (
                 <form onSubmit={handleSubmit(onEmailSubmit)} className="space-y-4">
                   <div className="alert alert-info">
                     <Info className="h-6 w-6" />
@@ -249,6 +261,22 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
                 </form>
               )}
 
+              {activeTab === "keycloak" && (
+                <div className="space-y-3">
+                  <button
+                    type="button"
+                    className="btn btn-outline w-full"
+                    onClick={() =>
+                      void signIn("keycloak", {
+                        callbackUrl: new URL("/buy", window.location.origin).toString(),
+                      })
+                    }
+                  >
+                    Login mit ASL Account
+                  </button>
+                </div>
+              )}
+
               {/* Info Section */}
               <div className="divider"></div>
               <div className="text-center">
@@ -283,8 +311,9 @@ const Home: NextPage<HomeProps> = ({ providers, isProduction }) => {
 export async function getServerSideProps(context: GetServerSidePropsContext) {
   const { req, res } = context;
   // Get the session from the server using the getServerSession wrapper function
-  const session = await getServerAuthSession({ req, res });
+  const { getServerAuthSession, keycloakEnabled, ldapEnabled } = await import("~/server/auth")
 
+  const session = await getServerAuthSession({ req, res })
   // If user is already logged in, redirect
   if (session) {
     return {
@@ -295,11 +324,11 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
     }
   }
 
-  const providers = await getProviders()
   return {
     props: {
-      providers: providers ?? {},
       isProduction: process.env.NODE_ENV === "production",
+      keycloakEnabled,
+      ldapEnabled,
     },
   }
 }
diff --git a/src/server/auth.ts b/src/server/auth.ts
index bb95873..6cacd6a 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -5,13 +5,26 @@ import {
   type DefaultSession,
   type DefaultUser,
   type NextAuthOptions,
+  type User,
 } from "next-auth"
+import type { Adapter, AdapterAccount } from "next-auth/adapters"
 import CredentialsProvider from "next-auth/providers/credentials"
 import EmailProvider from "next-auth/providers/email"
+import KeycloakProvider from "next-auth/providers/keycloak"
 import { env } from "~/env.mjs"
 import { prisma } from "~/server/db"
 import { manageLdapLogin } from "./ldap"
 
+export const keycloakEnabled =
+  !!env.KEYCLOAK_ISSUER &&
+  !!env.KEYCLOAK_CLIENT_ID &&
+  !!env.KEYCLOAK_CLIENT_SECRET
+
+export const ldapEnabled =
+  !!env.LDAP_URL &&
+  !!env.LDAP_BIND_USER &&
+  !!env.LDAP_BIND_PASSWORT
+
 /**
  * Module augmentation for `next-auth` types. Allows us to add custom properties to the `session`
  * object and keep type safety.
@@ -40,16 +53,38 @@ declare module "next-auth/jwt" {
   }
 }
 
+/** IMPORTANT FOR INTEGRATING KEYCLOAK */
+const prismaAdapter = PrismaAdapter(prisma) as Adapter
+const extendedPrismaAdapter: Adapter = {
+  ...prismaAdapter,
+  async linkAccount(account: AdapterAccount) {
+    if (!prismaAdapter.linkAccount)
+      throw new Error("NextAuth: prismaAdapter.linkAccount not implemented")
+
+    // Keycloak returns incompatible data with the nextjs-auth schema
+    // (refresh_expires_in and not-before-policy).
+    // refresh_expires_in was added to the schema, but not-before-policy is not compatible with Prisma's field naming conventions.
+    // So, we need to remove this data from the payload before linking an account.
+    // https://github.com/nextauthjs/next-auth/issues/7655
+    if (account.provider === "keycloak") {
+      delete account["not-before-policy"]
+    }
+
+    await prismaAdapter.linkAccount(account)
+  },
+}
+
 /**
  * Options for NextAuth.js used to configure adapters, providers, callbacks, etc.
  *
  * @see https://next-auth.js.org/configuration/options
  */
 export const authOptions: NextAuthOptions = {
-  adapter: PrismaAdapter(prisma),
+  adapter: extendedPrismaAdapter,
   session: {
     strategy: "jwt",
-  },  pages: {
+  },
+  pages: {
     signIn: "/",
   },
   callbacks: {
@@ -69,40 +104,67 @@ export const authOptions: NextAuthOptions = {
     },
   },
   providers: [
-    CredentialsProvider({
-      name: "ASL-Account",
-      credentials: {
-        username: { label: "ASL-Username", type: "text", placeholder: "sally.ride" },
-        password: { label: "Password", type: "password", placeholder: "sUper $ecr3t" },
-      },
-      async authorize(credentials, req) {
-        if (!credentials || credentials.username.length <= 1 || credentials.password.length <= 1) {
-          return null
-        }
-        return manageLdapLogin(credentials?.username, credentials?.password)
-      },
-    }),
+    ...(ldapEnabled ? [
+      CredentialsProvider({
+        name: "ASL-Account",
+        credentials: {
+          username: { label: "ASL-Username", type: "text", placeholder: "sally.ride" },
+          password: { label: "Password", type: "password", placeholder: "sUper $ecr3t" },
+        },
+        async authorize(credentials, _req) {
+          if (!credentials || credentials.username.length <= 1 || credentials.password.length <= 1) {
+            return null
+          }
+          return manageLdapLogin(credentials?.username, credentials?.password)
+        },
+      })
+    ] : []),
+    ...(keycloakEnabled
+      ? [
+        KeycloakProvider({
+          clientId: env.KEYCLOAK_CLIENT_ID!,
+          clientSecret: env.KEYCLOAK_CLIENT_SECRET!,
+          issuer: env.KEYCLOAK_ISSUER!,
+          profile(profile) {
+            const uidNumber = profile.uidNumber
+            const isAdmin = Array.isArray(profile.groups) &&
+              profile.groups.some(
+                (group) => typeof group === "string" && group.toUpperCase() === "LABEATS_ADMIN",
+              )
+            const user = {
+              id: uidNumber ? String(uidNumber) : String(profile.sub),
+              name: profile.name ?? profile.preferred_username ?? null,
+              email: profile.email,
+              image: null,
+              is_admin: isAdmin,
+            } as User
+            return user
+          },
+          // allowDangerousEmailAccountLinking: true,
+        }),
+      ]
+      : []),
     ...(env.NODE_ENV === "development"
       ? [
-          EmailProvider({
-            server: {
-              host: env.EMAIL_SERVER_HOST,
-              port: env.EMAIL_SERVER_PORT,
-              auth: {
-                user: env.EMAIL_SERVER_USER,
-                pass: env.EMAIL_SERVER_PASSWORD,
-              },
+        EmailProvider({
+          server: {
+            host: env.EMAIL_SERVER_HOST,
+            port: env.EMAIL_SERVER_PORT,
+            auth: {
+              user: env.EMAIL_SERVER_USER,
+              pass: env.EMAIL_SERVER_PASSWORD,
+            },
+          },
+          ...(env.EMAIL_DEV_PRINT_TOKEN === "true" && env.NODE_ENV === "development" && {
+            sendVerificationRequest(params) {
+              console.log("\n", "=".repeat(40))
+              console.log(`🔗 Verification URL: ${params.url}`)
+              console.log("=".repeat(40), "\n")
             },
-            ...(env.EMAIL_DEV_PRINT_TOKEN === "true" && env.NODE_ENV === "development" && {
-              sendVerificationRequest(params) {
-                console.log("\n", "=".repeat(40))
-                console.log(`🔗 Verification URL: ${params.url}`)
-                console.log("=".repeat(40), "\n")
-              },
-            }),
-            from: env.EMAIL_FROM,
           }),
-        ]
+          from: env.EMAIL_FROM,
+        }),
+      ]
       : []),
   ],
 }
diff --git a/src/server/ldap.ts b/src/server/ldap.ts
index 3e99b58..0df9262 100644
--- a/src/server/ldap.ts
+++ b/src/server/ldap.ts
@@ -3,11 +3,12 @@ import { type User } from "next-auth"
 import fs from "node:fs"
 import path from "node:path"
 import { env } from "~/env.mjs"
+import { ldapEnabled } from "./auth"
 import { prisma } from "./db"
 
 const ldapCert = fs.readFileSync(path.resolve(process.cwd(), `./LDAP-ca.crt`))
 export const clientOptions = {
-  url: env.LDAP_URL,
+  url: env.LDAP_URL!,
   tlsOptions: {
     ca: [ldapCert],
   },
@@ -18,15 +19,20 @@ export const manageLdapLogin = (
   usernameRaw: string | undefined,
   password: string | undefined,
 ): Promise<User | null> => {
+  if (!ldapEnabled) {
+    console.error("LDAP: Error: Not all required LDAP environment variables set - check your .env file!")
+    return Promise.resolve(null)
+  }
+
   const username = usernameRaw?.toLowerCase()
-  
+
   if (!username || !password) {
-    console.log("LDAP: Error: Username or password blank")
+    console.error("LDAP: Error: Username or password blank")
     return Promise.resolve(null)
   }
   const safeLdapRegex = /^[\w\.-]*$/g
   if (!username.match(safeLdapRegex)) {
-    console.log("LDAP injection-attack detected - Nice try : )")
+    console.error("LDAP injection-attack detected - Nice try : )")
     return Promise.resolve(null)
   }
   return new Promise(async (resolve) => {
@@ -35,8 +41,8 @@ export const manageLdapLogin = (
 
     try {
       console.info("Starting bind of search-user....")
-      await searchUser.bind(env.LDAP_BIND_USER, env.LDAP_BIND_PASSWORT)
-      const { searchEntries } = await searchUser.search(env.LDAP_SEARCH_BASE, {
+      await searchUser.bind(env.LDAP_BIND_USER!, env.LDAP_BIND_PASSWORT!)
+      const { searchEntries } = await searchUser.search(env.LDAP_SEARCH_BASE!, {
         filter: `(&(objectClass=organizationalPerson)(sAMAccountName=${username}))`,
       })
       if (searchEntries.length === 0 || !searchEntries[0]) {