Put the Right Context Inside Every Token

With Keymate's Token Attribute Enricher, your access tokens carry rich, real-time organizational and contextual metadata—so authorization decisions are precise, scoped, and audit-ready.

Context-Rich Tokens for Authorization, Auditing, and Analytics

Why It Matters

Default Keycloak tokens are limited to static claims—often just roles and basic user attributes. But in real-world enterprise environments, you need more:

Department, unit, position, clearance level
Session-specific role (aka delegated "hat")
Risk score, impersonation flags
Tenant and organization hierarchy

This extension enriches every token with live, scoped session context, without custom token mappers or manual workarounds.

From Session to Token—Automatic Attribute Injection

The Token Attribute Enricher:

Token Attribute Enrichment Flow

Fully compatible with OpenFGA and Keymate Authorization DSL.

Example: Session notes and external data are injected into access tokens.

Key Components:

Reads values from Keycloak session notes (e.g., selected org, role, risk score)

Pulls additional user/org metadata from configured sources (e.g., HRMS)

Injects structured fields into access and ID tokens at login or token refresh

Ensures those fields are read-only and verifiable throughout the session

Supports standard and custom token formats (JWT, opaque)

Extension Highlights — What Makes It Unique

Org-Aware Fields

Add organization ID, department, unit, company, position

Delegation Support

Include delegated role or impersonation metadata

Risk Score Injection

Embed real-time risk level for RADAC scenarios

Dynamic Source Mapping

Pull from session notes, LDAP, HRMS, or external APIs

OpenFGA-Ready

Enriched fields map directly to relationship models

Secure and Immutable

Injected claims are tamper-proof within the token lifecycle

Frequently Asked Questions

Token mappers are static and not session-aware. This extension dynamically injects live session, org, and risk data—without hacks.

Changes can be detected and reflected in token refreshes or scoped to session expiry.

Yes. They are explicitly mapped into your authorization models via Keymate DSL and OpenFGA tuples.

Absolutely. You can map enrichment fields to external APIs or user attribute stores.

How to Use This Extension

Implementation Steps

Deploy the extension JAR to your Keycloak instance

Add a TokenAttributeEnricher SPI implementation to your flow

Define which session notes or external fields to enrich

Customize token claim keys as needed (e.g., orgId, riskScore)

Use enriched fields in policy definitions or logs

Optionally trace enrichment results in audit logs

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.