Keycloak OpenFGA Event Publisher bridges identity management and policy enforcement by syncing Keycloak events to OpenFGA. The extension, developed by developer embesozzi, uses the OpenFGA Java SDK to convert Keycloak actions—like role assignments or group memberships—into OpenFGA Tuple keys. These keys define relationships (e.g., "User related to Role as assignee") that OpenFGA evaluates for authorization decisions. This integration decouples Keycloak’s authentication from OpenFGA’s policy enforcement, enabling dynamic, scalable access control.

Built on OpenFGA’s ReBAC (Relationship-Based Access Control) model, the extension listens to Keycloak events such as User Role Assignment or Role To Role Assignment, transforms them into OpenFGA’s ClientWriteRequest objects, and publishes them via HTTP. This allows applications to leverage OpenFGA’s Policy Decision Endpoint (PDP) for real-time authorization. The architecture simplifies workflows by centralizing identity and access logic, reducing reliance on static role hierarchies.

Installation involves downloading a compatible JAR file for Keycloak.X (Quarkus-based) or Docker setups. Configuration requires setting environment variables like KC_SPI_EVENTS_LISTENER_OPENFGA_EVENTS_PUBLISHER_API_URL for the OpenFGA server endpoint. Keycloak 17’s Quarkus distro is now officially supported, streamlining deployment. Developers can test the extension via the provided workshop repository.

This integration matters for organizations adopting Fine-Grained Authorization (FGA) at scale. By automating policy updates from Keycloak, teams avoid manual schema management and ensure policies reflect real-time identity changes. As one developer notes, "It’s a game-changer for decoupling auth logic." The project aligns with trends toward policy-as-code and modular authorization systems.