Switch Departments—Without Logging Out

Empower users to securely switch their department or unit context mid-session using a seamless token exchange flow. No re-login. No duplicated sessions. Just scoped, auditable context updates—on demand.

Seamless Department Switching Without Reauthentication

Why It Matters

In modern enterprise systems, users often hold responsibilities across multiple departments or business units. However, Keycloak's default session and token structure lacks built-in support for context switching.

This causes:

Conflicting permissions
Confusing audit trails
Risk of privilege leakage

Keymate solves this with a secure token exchange flow that updates the active department context while keeping the user's session intact and scoped.

Switch Context. Retain Trust.

The Department Switch flow includes:

Department Switch via Token Exchange

This enables fine-grained access control and visibility without requiring logout/login cycles.

Example: A user securely switches their active department mid-session.

Key Components:

User selects a different department from the UI (e.g., via dropdown)

A request is made to a custom token exchange endpoint

Keycloak validates that the user has permission to switch

The new department is stored in session notes

A fresh access token is issued with the updated context

Optional audit event is triggered for traceability

Extension Highlights — What Makes It Unique

Session-Preserving Switch

Update only department context—session and identity stay intact

Scoped Token Regeneration

New token reflects updated department and clears the previous scope

Access Control Integration

Switch operation is policy-governed (e.g., role-based)

Audit-Ready

Every switch generates an auditable event

Built for Multi-Org Setups

Works seamlessly with org-aware sessions and OpenFGA policies

No UX Disruption

Lightweight UI dropdown or API call—no full logout required

Frequently Asked Questions

That would require invalidating the session and interrupting user experience. Our method preserves the session and security context.

The extension checks if the user is permitted to operate in the target department—based on policies, roles, or admin config.

No. Access can be restricted by organization rules, user roles, or time-bound delegation.

Yes. New tokens are enriched with the updated department, supporting precise OpenFGA checks.

How to Use This Extension

Implementation Steps

Deploy the token exchange extension to your Keycloak instance

Register the department switch grant type in your realm

Define validation rules (e.g., allow switch only if delegated)

Expose a dropdown or API call in your app frontend

Monitor department switch logs via observability tools

Use updated tokens in your downstream access checks

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.