Keymate Authorization Decision Provider
Overview
The Keymate Authorization Decision Provider is the centralized authorization decision authority of the Keymate platform. It evaluates fine-grained permission checks — determining whether a given subject has access to a specific resource and scope. The Access Gateway delegates permission evaluation requests to this component and enforces the resulting decisions.
The provider runs as a Keycloak extension, leveraging Keycloak's built-in authorization services, policies, and decision strategies to produce GRANT or DENY outcomes.
When to Read This Section
Read this section when you need to understand:
- How authorization decisions are evaluated in the Keymate platform
- The API surface for permission evaluation and organization context retrieval
- How the provider integrates with Keycloak's authorization services
- The request and response models for permission checks
- How to retrieve a complete permission profile for a user
Who Should Start Here
- Developers integrating with the authorization API or building enforcers that consume permission decisions
- Architects designing authorization flows and understanding the decision authority model
- Operators managing Keycloak realms, resource servers, and authorization policies
Key Topics
- Overview — Capabilities, API surface, and system role
Representative Journeys
- I want to understand what the Authorization Decision Provider does → Overview
- I want to understand how permission checks are processed → Overview
Recommended Reading Order
- Overview — Start here for the big picture
Related Sections
- Access Gateway — PDP Proxy and Edge Orchestrator that delegates permission evaluation to this component
- Policy Engine — Policy management and evaluation
- Architecture — System design and request evaluation flow