March 16, 2026
Auth sync or sink?
Event Publisher enables event integration between Keycloak and OpenFGA
New plug auto-syncs permissions—and splits the room
TLDR: A new Keycloak add-on auto-sends role and group changes to OpenFGA so apps can check permissions in one place. Commenters love the convenience but warn that sloppy login setups can turn into security holes, making this a big time-saver only if identity settings are locked down.
A new community-built extension bolts your login system, Keycloak, straight to OpenFGA so permission changes flow automatically. Translation: when someone gets added to a role or group, this tool listens and instantly tells the authorization engine—no manual glue code. But the comments? Pure fireworks.
One camp is thrilled. User mooreds says the quiet part out loud: syncing who-can-do-what across systems is the real pain, and this open-source bridge is a cool start. But even the hype squad adds a warning label—“It’s not enough, of course”—because app/domain data still has to be synced to keep decisions accurate. So it’s progress, not magic.
Meanwhile, the security hawks are circling. gebalamariusz calls it “interesting,” then drops a cold shower: OpenID Connect (the login handshake most services use) is often misconfigured, and “OIDC could be used as an attack vector… missing sub claim condition… allows any token to assume the role.” Cue gasps. The vibe: build the autopilot, but don’t forget the seatbelt.
Drama level: high. Implementers are mashing the “ship it” button, security pros are clutching pearls over identity missteps, and onlookers are tossing around the classic “what could possibly go wrong?” wink. Verdict from the thread: a promising shortcut for permissions at scale—if you respect the sharp edges and lock down identity settings.
Key Points
- •A Keycloak extension (Keycloak OpenFGA Event Publisher) publishes identity-related events to OpenFGA using the OpenFGA Java SDK over HTTP.
- •It listens to Admin Events in Keycloak’s Identity, Role, and Group models, covering User Role Assignment, Role to Role Assignment, Group to Role Assignment, and User Group Membership.
- •Each captured event is transformed into OpenFGA tuple keys aligned with a defined authorization schema and sent as ClientWriteRequest objects.
- •The architecture positions Keycloak for authentication (OpenID Connect) and OpenFGA for fine-grained authorization (ReBAC), enabling OpenFGA to answer relationship-based access checks.
- •Installation includes downloading/building a JAR, placing it in Keycloak providers (Keycloak.X) and building with kc.sh; container deployments can mount or copy the JAR.