Context That Persists—From Login to Authorization

Enrich tokens with structured metadata from Keycloak session notes—like selected organization, delegated role, or context-specific flags—to enable fine-grained, scoped authorization across the platform.

Secure Propagation of Session Context into Access Tokens

Why It Matters

Many security-critical access decisions depend on user session context—which can't be fully captured by roles alone. For example:

Which organization or department the user selected during login
Whether the user is operating under a delegated "hat"
A temporary context like an elevated privilege or impersonation scope

This context lives in Keycloak's session notes. But by default, it doesn't make it into the token.

Keymate's custom Session Notes Mapper SPI solves this—securely injecting session context into tokens, making it usable across API gateways, SDKs, and OpenFGA authorization layers.

From Login Choice to Token Claim—Secure Session Context Flow

When a user logs in and selects their org unit, role, or scope:

Session Notes to Token Flow

This enables policies like: <br/> Allow if token.selected_org == resource.org_id <br/> Deny if token.delegated_role is null <br/> Apply audit rule if impersonation == true

Example: Securely map session context to token claims for fine-grained authorization.

Key Components:

Authenticator writes to session notes

Keymate's SPI reads and validates context

Selected fields are copied into the access token

Authorization decisions gain session-aware precision

Extension Highlights — What Makes It Unique

Secure Mapping of Session Notes

Only validated and whitelisted session keys are mapped

Policy-Ready Output

DSL and OpenFGA can consume session-derived claims

Use Cases: Delegation, Impersonation, Scoped Roles

Great for Just-in-Time Role Elevation and multi-org contexts

Auditable & Traceable

Mappings are logged and visible in token inspection views

Tenant-Aware

Works seamlessly with multi-tenant org structures

Non-Invasive to Core Keycloak

Built using SPI without overriding token mappers or core code

Frequently Asked Questions

Standard Keycloak token mappers can't access session notes securely or contextually. Our SPI is purpose-built for validated session-to-token flow.

This SPI is ideal for dynamic session contexts like delegated roles or Just-in-Time privileges—none of which are covered by static roles.

Yes. Mapped fields are logged and observable via the Admin Console and OpenTelemetry traces.

Yes. It integrates cleanly with both Keycloak Organizations and Keymate's extended org modeling.

How to Use This Extension

Implementation Steps

Deploy the SPI JAR into your Keycloak instance

Define whitelisted session keys to allow mapping (e.g., selected_org, delegated_role)

Use your login authenticators to write into session notes

The SPI automatically copies these fields into access tokens on issuance

Reference them in your DSL policies, SDK logic, or API Gateway plugins

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.