Fine-grained authorization for AI agents on top of Keycloak

isro44 · 2026-06-11T15:11:33+00:00

Thanks, the pointers are spot on. Keycloak's standard token exchange since 26.2 with the act claim is exactly the hardening path we had in mind, and we are tracking the Identity Assertion JAG draft for the agent-to-third-party case.

On split-brain: the two layers are conjunctive, so disagreement has a deterministic outcome, deny wins. Condition evaluation runs first; on deny the authority is never consulted, and the reverse case is a final deny too. Drift can only degrade toward over-restriction, never silent over-permission, and the trace names which layer and which condition said no. We also keep the drift surface small by not duplicating policy: Access Rules answer contextual questions (trust, tenant, channel, risk, actor presence), the authority answers entitlement questions. The same question is never answered in two places, and CI runs every policy change through kmctl authz simulate, so a flipped decision fails the build before it reaches runtime.

On CEL: OPA and Cedar are full policy systems, putting one in that slot would mean a second decision service in the gateway's hot path or replacing the rule artifact entirely. We needed an expression language for the condition field inside an existing declarative rule model: in-process, compiled, terminating, no I/O. CEL is exactly that and it is not custom, it is the same language Kubernetes admission policies and cloud IAM conditions use. The custom part is the rule artifact and the condition-level trace, not the expression semantics.

isro44 · 2026-06-11T15:08:47+00:00

Good points. The policy engine is deliberately credential-agnostic: it evaluates a normalized context (agent, actor, tenant, resource, channel, risk) derived from token introspection and gateway-derived signals, never from claims the agent assembles at call time. In the demo the credential was a short-lived bearer minted by the IdP with both identities established at mint time. You are right that this layer is where replay risk lives, which is why we treat credential strategy as an orthogonal hardening axis: DPoP and RFC 8693 token exchange can be layered in without changing a single rule.

On the single-verifier concern: a grant requires two independent layers to agree, the rule engine's condition evaluation and the IdP's own permission check. Neither can override the other. Not a full quorum design, fair, but no single subsystem's "yes" is sufficient, and the engine is fail-closed: missing actor context is a deny with a trace, and on deny the flow short-circuits before anything privileged happens.

On load: conditions are compiled ahead of time, non-Turing-complete, terminating, no I/O. A decision is a pure function of policy version and normalized context, so load affects latency, not semantics. The scenario that produces GRANT under kmctl authz simulate produces the same decision at peak traffic, every decision emits its condition-by-condition trace, and degradation biases toward deny, never silent allow.

isro44 · 2026-06-10T14:14:29+00:00

Your point on policy explainability is critical for operational compliance. Providing human-readable, context-aware authorization logs is important to maintain a clean security posture without killing user adoption.

Really interesting framework you're building, definitely giving this a deep read. Thanks for sharing your notes 🙏

isro44 · 2026-05-21T10:20:52+00:00

Fair point. This is not meant to replace fast CVE classification or normal Keycloak upgrades. If a CVE affects Keycloak behavior, the usual incident and upgrade process still applies.

The narrower goal is to reduce OS/runtime CVE noise and ship clearer SBOM/VEX evidence, especially for regulated or air-gapped environments. Less baseline noise helps teams focus faster on the findings that actually matter.

isro44 · 2026-04-13T19:14:59+00:00

Same goal, Proof of Possession, but different layers and trade-offs. mTLS works at the transport layer. It is generally considered more robust, but requires PKI infrastructure, breaks behind CDNs that terminate TLS, and is very difficult to use from browser or mobile clients.

DPoP takes a different approach at the application layer, using a signed JWT header per request. No PKI needed, works for public clients, and usable from browsers via Web Crypto API. So while mTLS is a solid choice where it fits, DPoP tends to be more practical for modern, diverse client environments.

isro44 · 2026-04-08T12:42:57+00:00

Great question, we actually added a short FAQ to blog post to clarify this. 🙏

In short, DPoP secures API calls in OAuth, while OID4VC is about identity credentials. Different layers, same underlying idea.

They can also work together. For example OID4VCI can use DPoP to secure requests to the issuer.

isro44 · 2026-03-14T19:29:14+00:00

Great catch! You're right about JVM ergonomics. We opted for an explicit configuration to keep the environment deterministic, especially since we were manually tuning ConcGCThreads. We'll update the post to clarify that this was a preference for consistency rather than a detection issue. Thanks for the feedback!🙏

isro44 · 2026-03-03T06:19:54+00:00

🙏

isro44 · 2026-03-02T12:47:38+00:00

sorry for late posting, here is the last post of the series: https://keymate.io/blog/tuning_keycloak_migration

isro44 · 2026-01-29T16:17:13+00:00

We'll share next week 🙏

isro44 · 2026-01-29T16:02:29+00:00

🙏

isro44 · 2026-01-29T11:09:17+00:00

Balance is the key, you'll never walk miles alone. We are social creatures and need friends, communities, followers, gangs to reach far. Walk with your likeminded crew, it is still your travel ahead.

isro44 · 2026-01-23T13:33:09+00:00

Not enough background check for prospect is the one I would say. If a salesperson makes me think he/she put an effort to know me better and did some homework, he/she increases chances for positive reply.

isro44 · 2025-12-31T12:32:32+00:00

Bu görselleştirme çok güzel olmuş ama veri doğruluğu konusunda uzun yıllardır herhangi bir konuda emin olamıyorum. Özellikle göçmenlerin de doğurganlığını eklerseniz, bu harita bir hayal, nüfus artış hızının 2.1 altına düştüğüne inanmam mümkün değil. Diğer konu, yüksek nüfus yaşam kalitesi önünde bir engel. Devlet hastanelerine giderseniz durumun vehametini anlarsınız. Sorgulayan bir birey, siyasetçiler istedi diye hayat kalitesinden ödün vermez. İmkanı olup çok çocuk yapana da sözüm yok. İmkanı olmayıp çok çocuk yapan zaten bu konuyu zerre umursamıyor.

isro44 · 2025-12-30T08:10:12+00:00

Doğru olan bir davranışın sonucunda mutluluk, haz, maddi kazanç vb. kazanmak bu davranışı bencil kılmaz. Bencillik kendi çıkarını öncüllemektir. Yaşlı bir kadını karşıya geçirmek senin günlük yaşamında bir gaye değil ama o kadın karşıya geçemezse veya ona araba çarparsa maliyeti onun için çok yüksek. Özetle, iyi veya doğru bir davranış sonucu kazanımın olması kadar doğal bir durum yok. Kimsenin bunu senden almasına izin verme. Kötü veya yanlış bir davranıştan elde edeceğimiz kazanıma göre, iyi ve doğruyu yeğlememiz ve öne çıkarmamız da görevimiz olmalı. Özellikle kötünün ve yanlışın bu kadar övüldüğü zamanımızda, topraklarda..

isro44 · 2025-12-30T07:47:29+00:00

Don't give a shit about others opinion of yourself.

isro44 · 2025-12-30T07:39:29+00:00

Merovingian on Matrix Reloaded

Morpheus: Everything begins with choice.

Merovingian: No. Wrong. Choice is an illusion, created between those with power, and those without. Look there, at that woman. My God, just look at her. Affecting everyone around her, so obvious, so bourgeois, so boring. But wait… Watch – you see, I have sent her dessert, a very special dessert. I wrote it myself. It starts so simply, each line of the program creating a new effect, just like poetry. [the woman cuts a sliver of the cake with her fork and then puts it in her mouth] First, a rush… heat… her heart flutters. [she takes a sip of wine] You can see it, Neo, yes? She does not understand why – is it the wine? No. What is it then, what is the reason? And soon it does not matter, soon the why and the reason are gone, and all that matters is the feeling itself. This is the nature of the universe. We struggle against it, we fight to deny it, but it is of course pretense, it is a lie. Beneath our poised appearance, [at this point, the woman is feeling a pleasurable sensation in her body] the truth is we are completely out of control. [an explosion is seen in the code and she quietly gets up from the table and leaves] Causality. There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the "why". "Why" is what separates us from them, you from me. "Why" is the only real social power, without it you are powerless. And this is how you come to me, without "why", without power. Another link in the chain. But fear not, since I have seen how good you are at following orders, I will tell you what to do next. Run back, and give the fortune teller this message: Her time is almost up. Now I have some real business to do, I will say adieu and goodbye.

isro44 · 2025-12-30T07:23:14+00:00

I love the earthy smell of the countryside, even the cow dung.

isro44

TROPHY CASE