Reliable Event Publishing for IAM State Changes

From user updates to policy shifts—stream lifecycle events to Kafka with full delivery guarantees.

Emit Keycloak and Keymate lifecycle events to Kafka via outbox-driven, transaction-safe delivery

Outbox-Driven Architecture for Event Consistency

The event pipeline ensures every lifecycle event—whether from Keycloak core or Keymate modules—is safely captured and delivered.

Transactional Outbox Flow

Covers both Keycloak SPI events and Keymate-internal events produced by Admin Console, Organization Manager, Policy Engine, and more.

Example: A robust pipeline for consistent event delivery from Keycloak to Kafka.

Key Components:

A custom EventStoreProvider that hooks into Keycloak's internal SPI

Transaction-safe outbox pattern storing events alongside Keycloak DB operations

A lightweight event-forwarding microservice that reads the outbox

Integration Hub receiving gRPC calls and publishing to Kafka

Support for both Keycloak native and Keymate-generated events

What It Does

In addition to standard Keycloak lifecycle events, this extension also captures and propagates Keymate platform events—such as policy updates, org changes, and delegated access operations—emitted by custom extensions or admin actions. These events are seamlessly funneled through the same transaction-safe outbox mechanism, ensuring consistent delivery and observability across both native and extended IAM operations.

Supported IAM Events

Example: This SPI enables high-reliability publication of IAM events such as:

Key Components:

User creation, updates, deletions

Role and group changes

Organization lifecycle events

Session events, token exchanges, authenticator flows

Keymate-specific events like delegation, impersonation, or policy changes

Extension Highlights

Outbox-Pattern Integration

Avoids dual-write issues by storing events in DB within the same transaction

gRPC Event Forwarder

A separate microservice reads the outbox and forwards events to Integration Hub

Unified Event Handling

Supports both Keycloak SPI and Keymate internal events

Tenant-Aware & Scoped

Each event is tagged with tenant and org context for downstream filtering

Guaranteed Delivery

No lost events—even under load or failure scenarios

Observability Built-In

Every publish is traced with OpenTelemetry and can be audited via Signoz

Frequently Asked Questions

It complements audit logging but is designed for real-time messaging. Audit logs are persisted separately for compliance.

Yes, each event includes tenant and org tags. Downstream consumers can filter using those.

How to Use This Extension

Ready to build a reactive, event-driven IAM architecture? Get the Event Publisher SPI from GitHub or contact us for deployment support.

Implementation Steps

Deploy the EventStoreProvider SPI into your Keycloak distribution

Setup the outbox table in the shared Keycloak database

Deploy the outbox-reader microservice (available in the Keymate Integration stack)

Connect Integration Hub to Kafka and configure topic mappings

Optionally, subscribe microservices to consume these Kafka topics

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.