Fine-Grained Event Filtering Before Publishing

Control which Keycloak or Keymate events are eligible for external publication—based on tenant, role, event type, or custom attributes. Works as a filtering layer between event emitters and the outbound stream.

Filtered Event Publishing by Tenant, Role, and Type

Why It Matters

When working in multi-tenant IAM platforms, not all events should leave the system. Some tenants may opt-out of external logging, or only certain roles and event types should be forwarded. With Keymate's Event Filtering SPI, you can:

Key Components:

Apply dynamic rules before events are added to the outbound event stream

Respect tenant-level data privacy and regulatory scopes

Reduce noise by publishing only meaningful or scoped changes

Prevent confidential role or permission changes from being sent externally

Scoped Filtering Between Event Emitters and Event Hub

A Keycloak or Keymate component emits an event (e.g. user created, role assigned)

Event Filtering Flow

Use Cases Include: • Tenant-level filtering (multi-tenant environment isolation) • Role-sensitive change tracking • Subscription-based external stream shaping • Secure logging for government or regulated environments

Example: The Event Publisher SPI attempts to store the event in the outbox. The Event Filtering SPI intercepts this call and evaluates rules. If the event passes the filter, it is written to the outbox. Integration Hub later reads and publishes it to Kafka

Key Components:

A Keycloak or Keymate component emits an event (e.g. user created, role assigned)

The Event Publisher SPI attempts to store the event in the outbox

The Event Filtering SPI intercepts this call and evaluates rules

If the event passes the filter, it is written to the outbox

Integration Hub later reads and publishes it to Kafka

Extension Highlights — What Makes It Unique

Tenant-Aware Filtering

Evaluate if an event is allowed to leave based on tenant ID

Role & Scope Filtering

Filter based on user role, realm role, or resource scope

Type-Based Filtering

Allow only certain event types: user, org, auth, delegation

Pre-Outbox Interception

Filtering happens before outbox persistence

Compatible with Event Publisher SPI

Seamlessly integrates with Keymate's event streaming layer

Declarative Rule Support

Future roadmap includes YAML or UI-based rule definitions

Frequently Asked Questions

No. This is an optional filtering SPI that intercepts events before they are saved in the outbox table.

Rejected events are simply discarded and never sent to the Integration Hub or Kafka.

Yes. Filtering logic can be implemented programmatically today, and declarative config support is on the roadmap.

Yes. The filtering logic has access to all session notes, token context, and event metadata.

How to Use This Extension

Implementation Steps

Install the Event Filtering SPI into your Keycloak deployment

Define your filtering rules in Java (or use the upcoming YAML format)

Connect the SPI with the Event Publisher flow

Events passing the filter are written to the outbox table

The Integration Hub reads and publishes them to Kafka or other systems

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.