Skip to main content
Complete enterprise-grade authentication and identity management architecture with Keycloak as the authoritative identity provider.

Executive Summary

This implementation provides a production-ready authentication system with:
  • Keycloak as Single Source of Truth - All identity centralized
  • JWT Standardization - All auth methods produce JWTs
  • Service Principals - Long-lived credentials for batch jobs
  • API Key Management - Legacy support with JWT exchange
  • Identity Federation - LDAP, SAML, OIDC integration
  • SCIM 2.0 Provisioning - Automated user management
  • Kong JWT Validation - High-performance gateway validation
  • OpenFGA Permission Inheritance - Service principals inherit user permissions
  • Hybrid Session Model - Stateless users + stateful services

Architecture Diagram

Documentation

Architecture Decision Records

Key Design Decisions

DecisionADRRationale
Keycloak as authoritative sourceADR-0031Single source of truth, enterprise federation
JWT standardizationADR-0032Consistent auth, stateless validation
Service principal designADR-0033Long-running tasks, permission delegation
API key→JWT exchangeADR-0034Legacy support + JWT standard
Kong JWT validationADR-0035High performance, no custom plugin
Hybrid session modelADR-0036Stateless users, stateful services
Identity federationADR-0037Enterprise integration
SCIM implementationADR-0038Automated provisioning
Permission inheritanceADR-0039Service acting as user

Getting Started

  1. Review ADR-0031 through ADR-0039
  2. Follow Deployment Guide
  3. Configure identity providers per Federation Guide
  4. Create service principals per Service Principals Guide
  5. Generate API keys per API Key Guide

Support