Skip to content
Tech News
← Back to articles

Event Publisher enables event integration between Keycloak and OpenFGA

2026-03-16 | original
read original get Keycloak Event Publisher Plugin → more articles
Why This Matters

The Event Publisher extension enhances the integration between Keycloak and OpenFGA, enabling real-time synchronization of identity events for fine-grained authorization. This advancement allows organizations to implement scalable, policy-driven access control using ReBAC principles, improving security and flexibility for applications and APIs. It signifies a step forward in building more dynamic and responsive authorization architectures in the tech industry.

Key Takeaways

Keycloak OpenFGA Event Publisher

This is a Keycloak extension that implements an Event Listener Provider to detect Identity events and publish them to the OpenFGA server over HTTP, thanks to the OpenFGA Java SDK.

This extension allows for direct integration between Keycloak and OpenFGA. OpenFGA is an open source solution for Fine-Grained Authorization that applies the concept of ReBAC (created by the Auth0 inspired by Zanzibar). The extension follows these steps:

Listens to the following Keycloak events based on his own Identity, Role and Group model (e.g., User Role Assignment, Role to Role Assignment, etc) Converts these event into an OpenFGA Tuple key based on the OpenFGA Authorization Schema:

Publishes the Tuple keys to the OpenFGA solution using the OpenFGA Java SDK. Apps and APIs can then use OpenFGA as a PDP (Policy Decision Endpoint) to enforce the authorization policies.

Solution Architecture Overview (New)

This extension improves the Authorization Architecture described in the article Keycloak integration with OpenFGA (based on Zanzibar) for Fine-Grained Authorization at Scale (ReBAC) by enabling direct event synchronization between the Access Manager Platform and the OpenFGA Server.

A brief introduction of the new simplified Authorization Architecture is as follows:

Core: Keycloak is responsible for handling the authentication with the standard OpenID Connect and manages user access with its Role Model. Keycloak is configured with a new custom extension 🚀 keycloak-openfga-event-publisher which listens to the Keycloak events (User Role Assignment, Role to Role Assignment, etc), parses this event into an OpenFGA tuple based on the Keycloak Authz Schema and publishes them to OpenFGA over HTTP. OpenFGA is responsible for applying fine-grained access control. The OpenFGA service answers authorization checks by determining whether a relationship exists between an object and a user.

Other components Store Web Application is integrated with Keycloak by OpenID Connect Store API is protected by OAuth 2.0 and it utilizes the OpenFGA SDK for FGA

... continue reading

Explore topics: keycloak openfga zanzibar rebac authorization
Related:
Congress extends ISS and tells NASA to get moving on private space stations
The US Senate empowers NASA to fully engage in lunar space race
Former NASA chief turned ULA lobbyist seeks law to limit SpaceX funding
OpenAI, Google, and Perplexity near approval to host AI directly for the U.S. government (exclusive)
DNS-Persist-01: A New Model for DNS-Based Challenge Validation

© 2026 GoKawiil

About | Editorial Policy | Contact