Context sources

Enrich authorization with Keycloak directory data

Automatically pull user attributes, realm roles, client roles, and group memberships from Keycloak into Cerbos policy evaluations, no application code changes required.

Keycloak context

Automatically enrich authorization requests with user profiles, realm roles, client roles, and group memberships from Keycloak

Cached responses

Configurable TTLs cache enrichment results to balance data freshness against evaluation latency

Zero application code

Identity enrichment happens at the policy layer, your application code stays clean

How Cerbos works with Keycloak

Authorization decisions are only as good as the data behind them. Keycloak provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With Keycloak as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

Authorization powered by your Keycloak directory

Keycloak's user store contains far more identity data than what fits in a JWT, including nested group hierarchies, client-specific roles, and custom user attributes. Cerbos identity enrichment bridges this gap by pulling the full user profile from Keycloak into every authorization decision.

How it works

Your application sends an authorization request with the user's Keycloak identifier.
Cerbos Synapse queries the Keycloak Admin API for the user's profile, realm roles, client roles, and group memberships via a proxy extension, including nested group paths.
Enriched data is available in your policies, write rules based on realm roles, client-specific roles, group hierarchy paths like /engineering/backend, or any custom user attribute.
Cached with configurable TTLs to balance freshness and performance.

Real-time directory data in every decision

When a user's roles or group memberships change in Keycloak, whether they switch teams, gain new client roles, or are removed from a group, those changes are reflected in Cerbos authorization decisions without a token refresh or application redeployment. Your policies always operate on current directory data.

Get started

Keycloak identity enrichment is available as part of Cerbos Synapse. Talk to us to learn more about enriching your authorization decisions with Keycloak data.

FAQ

How does Keycloak enrichment work with Cerbos?

Cerbos queries the Keycloak Admin API at evaluation time to fetch the user's full profile, realm roles, client roles, and group memberships. This data is available as principal attributes in your policies, enabling rules based on any Keycloak user property.

How is this different from the Keycloak authentication integration?

The authentication integration uses whatever claims are in the Keycloak-issued JWT. Identity enrichment goes further, it fetches the full user profile from Keycloak's directory at authorization time, giving your policies access to data beyond what fits in a token, including nested group paths and user attributes that may not be mapped to token claims.

Are enrichment results cached?

Yes. Cerbos caches enrichment data with configurable TTLs to balance freshness and performance. When a user's roles or group memberships change in Keycloak, those changes are reflected in Cerbos decisions once the cache expires, without a token refresh or application redeployment.