Temporary Authority—Securely Captured and Enforced

Enable secure, auditable role delegation—directly in Keycloak. Our Delegation Context SPI allows users to act with temporary privileges during a session, with all context safely embedded in tokens and session notes.

Secure Session-Level Delegation for Temporary Role Escalation

Why It Matters

Delegation and time-bound role elevation are essential in many environments:

A supervisor on leave delegates their approval rights
A compliance officer assumes an auditor role for 1 hour
A user temporarily inherits elevated access to handle a task

Keycloak by default lacks structured support for this. With Keymate's Delegation Context SPI, you gain:

✅ Secure delegation input (initiator, role, scope, duration)
✅ Runtime evaluation in tokens and policies
✅ Full audit trail for accountability

Scoped, Time-Bound Privileges—Embedded in Tokens

When a user activates a delegated role:

Delegation Context Flow

Use cases include: Just-in-Time RBAC, Emergency access ("break the glass"), Scoped impersonation with limits, and Temporary role assumption for audit or HR scenarios.

Example: A delegation request is approved, and session context is mapped to token claims for policy enforcement.

Key Components:

A delegation request is created and approved

Session includes fields like delegated_role, delegation_expires_at, granted_by

These are mapped to token claims

Policies can restrict access based on delegation time, scope, and initiator

Extension Highlights — What Makes It Unique

Delegation Metadata Injection

Adds delegated_role, expires_at, granted_by, etc. to tokens

Just-in-Time Elevation

Roles are active only during session and under policy-defined scope

Full Audit Trail

Every delegation is logged, traceable, and time-bound

Policy-Aware Claims

DSL or OpenFGA rules can evaluate delegated roles

Revocation Support

Delegation can be force-expired or revoked at runtime

Admin Console Integration

Delegations are manageable and reviewable via UI

Frequently Asked Questions

No. Impersonation simulates another identity. This SPI preserves identity but elevates privilege temporarily—with full traceability.

Yes. Delegation events are logged and tokens can be revoked or shortened via Admin Console.

Static roles are long-lived and global. Delegated roles are temporary, scoped, and session-bound.

Absolutely. Delegated context can be evaluated in any FGA model as part of relationship-based or conditional rules.

How to Use This Extension

Implementation Steps

Deploy the SPI into your Keycloak instance

Enable the Delegation Context module in Keymate Admin Console

Allow approved users to initiate a delegation (via UI or API)

Delegation metadata is added to session and token

Define enforcement rules via DSL or OpenFGA

Monitor delegation events and expiration via observability tools

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.