OpenID Connect & OAuth 2.1 Compatibility

Authenticate users and authorize access with full support for OIDC and OAuth 2.1—backed by a hardened Keycloak foundation.

Standards-Based Identity & Authorization Flows for Modern Applications

Why It Matters

Modern applications require secure, standards-compliant authentication and authorization protocols to ensure interoperability and resilience. Whether you're building internal tools or customer-facing services, standards matter.

With Keymate:

Key Components:

OpenID Connect enables user login, profile fetch, and SSO across your apps

OAuth 2.1 ensures secure, modern token flows with best-practice defaults

Applications written in any language or framework can integrate easily

Supports PKCE, refresh tokens, authorization code flow, client credentials, and more

Token lifetimes, scopes, and claims can be fully managed via admin console and APIs

Token-Based Identity for Any App, Any Protocol

Client initiates auth request via OIDC/OAuth2.1. Keymate (via Keycloak) authenticates user or client. Tokens are issued—ID, access, refresh—with tailored claims. Tokens are validated by resource servers or APIs. Optional: Token introspection or enrichment flows. Full visibility into token lifecycle with audit and tracing.

Token-Based Identity Flow

Common Use Cases:

Key Components:

Single Sign-On (SSO) across internal or external services

Machine-to-machine API access via client credentials flow

Browser-based login with PKCE for SPAs and mobile apps

Custom token enrichment for fine-grained access control

Feature Highlights

OAuth 2.1 Compatibility

Conforms to latest spec with updated defaults and flow hardening

OpenID Connect

Full support for ID tokens, scopes, userinfo endpoint

Token Refresh & Revocation

Manage token lifetimes and revocation centrally

Token Introspection

Optional SPI integration for token content inspection

Claim Mapping & Customization

Tailor claims per client or user profile

Multiple Flows Supported

Auth code, PKCE, client credentials, implicit (legacy), refresh

Frequently Asked Questions

Keymate supports both. All default flows follow OAuth 2.1 best practices (PKCE, no implicit flow, secure defaults).

Yes. Use the Keymate Admin Console or Token Attribute Enricher SPI to define claim mappings.

Yes. Introspection endpoints and SPI hooks allow resource servers to validate token metadata.

Planned for a future release. For now, clients are created via admin console or API.

How to Use It

Follow these steps to enable:

Register clients using the Admin Console or REST API

Configure redirect URIs, scopes, and flows (auth code, client creds, etc.)

Secure clients using client secret or JWT assertion

Integrate your apps using any OIDC/OAuth 2.x library

Use Admin Console or DSL to control token behavior and claims

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.