Enrich authorization with Keycloak directory data
Automatically pull user attributes, realm roles, client roles, and group memberships from Keycloak into Cerbos policy evaluations, no application code changes required.
Keycloak context
Automatically enrich authorization requests with user profiles, realm roles, client roles, and group memberships from Keycloak
Cached responses
Configurable TTLs cache enrichment results to balance data freshness against evaluation latency
Zero application code
Identity enrichment happens at the policy layer, your application code stays clean
How Cerbos works with Keycloak
Authorization decisions are only as good as the data behind them. Keycloak provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With Keycloak as a context source, those policies can evaluate attributes beyond what's in the initial request.
Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.
Authorization powered by your Keycloak directory
Keycloak's user store contains far more identity data than what fits in a JWT, including nested group hierarchies, client-specific roles, and custom user attributes. Cerbos identity enrichment bridges this gap by pulling the full user profile from Keycloak into every authorization decision.
How it works
- Your application sends an authorization request to Cerbos with the user's Keycloak identifier.
- Cerbos queries the Keycloak Admin API for the user's profile, realm roles, client roles, and group memberships, including nested group paths.
- Enriched data is available in your policies, write rules based on realm roles, client-specific roles, group hierarchy paths like /engineering/backend, or any custom user attribute.
- Cached with configurable TTLs to balance freshness and performance.
Real-time directory data in every decision
When a user's roles or group memberships change in Keycloak, whether they switch teams, gain new client roles, or are removed from a group, those changes are reflected in Cerbos authorization decisions without a token refresh or application redeployment. Your policies always operate on current directory data.
Get started
Keycloak identity enrichment is available as part of Cerbos enterprise. Talk to us to learn more about enriching your authorization decisions with Keycloak data.
FAQ
How does Keycloak enrichment work with Cerbos?
Cerbos queries the Keycloak Admin API at evaluation time to fetch the user's full profile, realm roles, client roles, and group memberships. This data is available as principal attributes in your policies, enabling rules based on any Keycloak user property.
How is this different from the Keycloak authentication integration?
The authentication integration uses whatever claims are in the Keycloak-issued JWT. Identity enrichment goes further, it fetches the full user profile from Keycloak's directory at authorization time, giving your policies access to data beyond what fits in a token, including nested group paths and user attributes that may not be mapped to token claims.
Are enrichment results cached?
Yes. Cerbos caches enrichment data with configurable TTLs to balance freshness and performance. When a user's roles or group memberships change in Keycloak, those changes are reflected in Cerbos decisions once the cache expires, without a token refresh or application redeployment.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Keycloak
- Authorization decisions enriched with real-time Keycloak data
- Context enrichment configured at the policy layer, not in application code
- Identity attributes and business context combined in policies
- Centrally managed authorization logic across the stack
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.