Context-Aware Risk Scoring Inside Every Token

Enrich Keycloak tokens with dynamic, real-time risk scores—powered by behavior, location, and device intelligence—to enable adaptive security policies and risk-aware access control.

Adaptive Token Enrichment with Contextual Risk Intelligence

Why It Matters

In a zero-trust world, static roles are no longer enough. Access decisions must adapt to real-time context:

Is the login coming from an unusual location?
Is the device unfamiliar or flagged?
Has the user exhibited suspicious behavior?

Keymate\'s Risk Score Enricher SPI injects this context directly into Keycloak tokens, enabling risk-adaptive policies across APIs, services, and apps.

Adaptive Security Starts with the Token

The Risk Score Enricher SPI plugs into Keycloak's token issuance flow and evaluates contextual factors:

Risk Score Enrichment Flow

The result? Each token contains a risk_score or risk_level—ready to drive policy enforcement.

Example: Contextual factors are evaluated to generate a risk score, which is then injected into the access token.

Key Components:

User IP, geolocation, and device fingerprint

Historical risk trends or external threat feeds

Session context (delegation, impersonation, etc.)

Extension Highlights — What Makes It Unique

Behavioral Risk Signals

Real-time scoring based on IP, time, location, device patterns

Token-Level Intelligence

Inject risk_score, risk_level, or custom risk fields into tokens

External Engine Integration

Connects to in-house or 3rd-party risk engines via REST/gRPC

Dynamic Threshold Support

Enable just-in-time MFA or access restrictions based on risk level

Audit and OTEL Integration

Risk scoring logic is traced and logged for auditing and forensics

Policy-Ready Output

DSL or OpenFGA policies can directly evaluate risk claims in tokens

Frequently Asked Questions

No. You can use our default logic or plug into any external REST/gRPC-based scoring service.

That enriches static org/context values. This enriches dynamic, security-focused fields based on real-time risk.

Absolutely. You can use expressions like token.risk_level == "low" or token.risk_score < 50 in your DSL or FGA rules.

Yes. You can trigger additional auth steps when risk_score crosses a defined threshold.

How to Use This Extension

Implementation Steps

Deploy the SPI JAR into your Keycloak instance

Configure which contextual factors you want to evaluate (IP, time, device, etc.)

Integrate with your risk scoring logic or use built-in heuristics

Define enrichment output format (score, level, metadata)

Enable policies that react to risk levels (MFA, access denial, role limitation)

Monitor risk events via OpenTelemetry and audit logging

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.