Keycloak Provides Open-Source Identity Management. The Tokens It Issues Carry No Governance Binding.

Keycloak's open-source identity management with fine-grained authorization provides genuine value. The gap described here is about governance binding in issued tokens.

Authorization scopes are not governance policy

Keycloak tokens carry scopes that define what resources can be accessed. But scopes are static permissions, not dynamic governance. A token with the 'write' scope allows writing regardless of the current governance context: whether the data being written requires additional validation, whether the trust slope of the writing entity has degraded, or whether a governance policy change makes the write inappropriate.

Fine-grained authorization without cryptographic binding

Keycloak supports UMA and fine-grained resource permissions. These add detail to authorization decisions. But the authorization decision is evaluated at the Keycloak server. It is not cryptographically bound to the operation. The operation carries a token that was approved at issuance time. The governance conditions may have changed between issuance and use.

What cryptographic governance provides

Cryptographic governance would bind signed policy to each operation at the point of execution, not at token issuance time. The governance policy would be evaluated in the current context and cryptographically attached to the specific operation. Keycloak's identity management would continue to provide authentication. Cryptographic governance would add real-time, operation-specific governance binding.