Personalize User Experience with Secure Avatar Management

Let your users upload and manage their profile images through a secure, integrated extension—without compromising identity governance. Fully decoupled from Keycloak’s theme engine and adaptable to your storage backend of choice.

Secure, Pluggable Profile Image Support for IAM Users

Decoupled Avatar Storage with IAM-Aware Access

This extension provides a seamless profile image upload and retrieval interface integrated with Keycloak, while keeping avatar storage external and secure. It supports:

Avatar Management Flow

All without modifying Keycloak’s default theme system—offering clean separation and strong security.

Example: A decoupled architecture for secure and flexible user avatar management.

Key Components:

User upload and crop UI for profile images

Avatar URL enrichment in access tokens (optional)

Fully pluggable backend support (e.g., MinIO, S3, Azure Blob, custom)

Secure, token-authenticated fetch endpoints for UI and external systems

RBAC-controlled upload and delete permissions

Multi-tenant isolation for avatar storage paths

Extension Highlights

Storage Agnostic

Integrate with any object/blob storage—MinIO, AWS S3, Azure, GCP, or custom drivers

Frontend Integration

React-based image uploader (cropping + preview) designed for integration with Keymate Admin Console or your custom UI

Token Enrichment (Optional)

Avatar URL can be dynamically injected into access tokens

Multi-Tenant Support

Avatar paths and access are scoped per tenant/realm

Access-Controlled Fetch API

Dedicated endpoint with secure access control for image retrieval

Sanitized & Resized Uploads

Image validation and optional resizing on upload

Self-Service & Admin Modes

Users can update their own avatars or admins can set avatars centrally

Frequently Asked Questions

Yes. The extension is fully pluggable—you can implement a custom StorageProvider SPI to use AWS S3, Azure Blob, GCP Storage, or even local disk.

No. This extension avoids the fragile theme customization route. It provides clean endpoints and APIs to integrate with your React/Vue/Angular UIs or the Keymate Admin Console.

Yes—avatar URLs can be injected into access tokens, if configured. This is optional and controlled via SPI.

Yes. Each tenant/realm has isolated storage paths and upload permissions.

How to Use This Extension

Bring profile personalization to life—securely. Activate User Avatar Extension and give your users a secure, isolated, and pluggable way to manage their visual identity.

Implementation Steps

Deploy the extension JAR into your Keycloak server

Configure the preferred storage provider (MinIO, S3, etc.)

Enable avatar upload via Admin Console or REST API

Integrate frontend UI uploader or use the Keymate Console module

(Optional) Enable avatar token claim injection

Secure image fetch endpoint with access token validation

Monitor avatar usage and image access logs if required

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.