Authorization That Understands Context — Not Just Identity

Keymate evaluates user context — like IP address, login time, department, risk score, and resource ownership — to enforce smarter, dynamic access policies in real time.

Real-Time Access Decisions Based on IP, Time, Department & Risk

How Contextual Access Decisions Work

In Keymate, context data is attached to user sessions or tokens at login. This includes attributes like IP, department, login channel, device type, or even resource ownership. These values are evaluated against DSL policies in real-time and forwarded to OpenFGA when necessary for external relationship or graph-based evaluation.

Context-Aware Evaluation Flow

Example: User: user:fatma, IP: 192.168.10.3, Department: Finance, Time: 21:05. DSL Policy: user.department == "Finance" && context.ip.startsWith("192.168.") && context.time < 2100. Result: Denied (time exceeded)

Why It's Unique in Keymate

Supports attributes from both token claims and session notesrequirements-Merged.

Token + Session Context Evaluation

Supports attributes from both token claims and session notesrequirements-Merged.

OpenFGA Context Forwarding

Passes relevant context attributes to OpenFGA's authorization engine via contextualTuplesrequirements-Merged.

Custom Authenticator Integration

Capture user-specific context (IP, org, delegatedBy, etc.) at login and use in policiesrequirements-Merged.

DSL Expressions for Runtime Context

Evaluate access using context fields like context.time, context.device, context.vpn etc.

Context-Aware Risk Mitigation

Combine with RADAC to reject risky sessions based on behavior or environmentKeymate-Product-Briefin….

Audit & Debug Support

All context fields and evaluation reasons are logged and shown during simulation.

Enforce smarter, dynamic access policies in real time.

Frequently Asked Questions

Understanding Keymate's Dynamic Contextual Authorization.

It's an authorization model where access decisions depend not just on who the user is, but also on runtime context — like IP, department, login time, device, or risk level. Keymate natively supports this.

Contextual attributes can come from access tokens, session notes (Keycloak), or external data sources like risk engines — and are passed to the policy engine during evaluation.

While ABAC focuses on static attributes, dynamic contextual access control includes runtime factors like time, IP, session history, or user behavior. In Keymate, both can be combined.

Yes. Keymate shows detailed evaluation results with passed/failed conditions, actual context values, and DSL logic traces.

How to Use in Keymate

Follow these steps to implement dynamic contextual authorization.

Configuration and Usage Steps

Extend Keycloak login flow to attach IP/department to session notes

Define DSL policies using context.* fields

Use test console to simulate access with sample context

Optionally forward context to OpenFGA via SDK

Log all access evaluations for audit and "why denied" visibility

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.