Sign in Subscribe
Concepts

Just-In-Time Access Approval in Keycloak

Andrios Robert

1 min read

The request came seconds before production. Access was needed, now. No long forms. No waiting on email threads. With Just-In-Time Access Approval in Keycloak, the bottleneck is gone.

Keycloak already centralizes identity and access management. But static roles are a liability. Permanent access widens attack surfaces. JIT approval fixes this by granting time-limited and scope-limited permissions only when needed.

The flow is simple:

  1. A user requests access to a protected resource.
  2. Keycloak forwards the request into an approval workflow.
  3. An approver reviews. If approved, Keycloak issues a short-lived token with the new permissions.
  4. Access expires automatically when the time window closes.

This pattern reduces standing privileges and tightens compliance. It also gives engineering teams traceability. Every elevation is logged. Every approval has an audit trail. Integration with Keycloak makes use of its authentication layers, admin API, and event listeners to hook into an external approval system.

To set up Just-In-Time Access Approval in Keycloak:

  • Enable event listeners for admin and authentication events.
  • Build or connect to an approval service that can handle role or group assignment requests.
  • Use the Keycloak Admin REST API to grant and revoke roles dynamically based on approval decisions.
  • Implement policies to scope access to minimal privileges.
  • Ensure tokens have short lifetimes using Keycloak’s token settings.

Keycloak’s flexible SPI (Service Provider Interface) allows you to trigger external calls during login or role evaluation. This means you can insert a JIT request into any critical path without hacking the core. Use protocol mappers to adjust claims in tokens once the approval is complete.

JIT access is not theory; it’s operational security. It enforces least privilege without slowing work. In fast-moving environments, this difference matters.

See Just-In-Time Access Approval in action. Build it, test it, and run it live with Keycloak in minutes at hoop.dev.