Keycloak Schema

        graph LR
R(KeycloakRealm) -- RESOURCE --> C(KeycloakClient)
R -- RESOURCE --> G(KeycloakGroup)
R -- RESOURCE --> U(KeycloakUser)
R -- RESOURCE --> ROLE(KeycloakRole)
R -- RESOURCE --> S(KeycloakScope)
R -- RESOURCE --> IDP(KeycloakIdentityProvider)
R -- RESOURCE --> O(KeycloakOrganization)
R -- RESOURCE --> OD(KeycloakOrganizationDomain)
R -- RESOURCE --> AF(KeycloakAuthenticationFlow)
R -- RESOURCE --> AE(KeycloakAuthenticationExecution)
C -- HAS_DEFAULT_SCOPE --> S
C -- HAS_OPTIONAL_SCOPE --> S
C -- DEFINES --> ROLE
C -- HAS_SERVICE_ACCOUNT --> U
C -- USES --> AF
G -- SUBGROUP_OF --> G
U -- MEMBER_OF --> G
U ==> INHERITED_MEMBER_OF ==> G
G -- GRANTS --> ROLE
ROLE -- GRANTS --> S
ROLE -- INCLUDES --> ROLE
U -- HAS_IDENTITY --> IDP
U -- MANAGED_MEMBER_OF --> O
U -- UNMANAGED_MEMBER_OF --> O
U == ASSUME_ROLE ==> ROLE
U == ASSUME_SCOPE ==> S
O -- ENFORCES --> IDP
OD -- BELONGS_TO --> O
AF -- HAS_STEP --> AE
AE -- HAS_STEP --> AE
AF == NEXT_STEP ==> AE
AE == NEXT_STEP ==> AE

Note

Regular links shows relationships pulled from Keycloak API, think links are infered by Cartography.

KeycloakRealm

Represents a Keycloak realm, which is a security domain where users, groups, roles, and other entities are managed.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the realm

name

The realm name (indexed for queries)

display_name

The display name of the realm

enabled

Whether the realm is enabled

not_before

Not before timestamp for security

default_signature_algorithm

Default signature algorithm for the realm

revoke_refresh_token

Whether refresh tokens should be revoked

refresh_token_max_reuse

Maximum reuse count for refresh tokens

access_token_lifespan

Lifespan of access tokens in seconds

access_token_lifespan_for_implicit_flow

Access token lifespan for implicit flow

sso_session_idle_timeout

SSO session idle timeout in seconds

sso_session_max_lifespan

Maximum SSO session lifespan in seconds

sso_session_idle_timeout_remember_me

SSO session idle timeout when remember me is enabled

sso_session_max_lifespan_remember_me

Maximum SSO session lifespan when remember me is enabled

offline_session_idle_timeout

Offline session idle timeout in seconds

offline_session_max_lifespan_enabled

Whether offline session max lifespan is enabled

offline_session_max_lifespan

Maximum offline session lifespan in seconds

client_session_idle_timeout

Client session idle timeout in seconds

client_session_max_lifespan

Maximum client session lifespan in seconds

client_offline_session_idle_timeout

Client offline session idle timeout in seconds

client_offline_session_max_lifespan

Maximum client offline session lifespan in seconds

access_code_lifespan

Access code lifespan in seconds

access_code_lifespan_user_action

Access code lifespan for user actions in seconds

access_code_lifespan_login

Access code lifespan for login in seconds

action_token_generated_by_admin_lifespan

Action token lifespan when generated by admin

action_token_generated_by_user_lifespan

Action token lifespan when generated by user

oauth2_device_code_lifespan

OAuth2 device code lifespan in seconds

oauth2_device_polling_interval

OAuth2 device polling interval in seconds

ssl_required

SSL requirement level for the realm

password_credential_grant_allowed

Whether password credential grant is allowed

registration_allowed

Whether user registration is allowed

registration_email_as_username

Whether email is used as username during registration

remember_me

Whether remember me functionality is enabled

verify_email

Whether email verification is required

login_with_email_allowed

Whether login with email is allowed

duplicate_emails_allowed

Whether duplicate emails are allowed

reset_password_allowed

Whether password reset is allowed

edit_username_allowed

Whether username editing is allowed

user_cache_enabled

Whether user cache is enabled

realm_cache_enabled

Whether realm cache is enabled

brute_force_protected

Whether brute force protection is enabled

permanent_lockout

Whether permanent lockout is enabled

max_temporary_lockouts

Maximum number of temporary lockouts

max_failure_wait_seconds

Maximum failure wait time in seconds

minimum_quick_login_wait_seconds

Minimum quick login wait time in seconds

wait_increment_seconds

Wait increment in seconds

quick_login_check_milli_seconds

Quick login check time in milliseconds

max_delta_time_seconds

Maximum delta time in seconds

failure_factor

Failure factor for brute force protection

events_enabled

Whether events are enabled

events_expiration

Events expiration time

admin_events_enabled

Whether admin events are enabled

admin_events_details_enabled

Whether admin event details are enabled

internationalization_enabled

Whether internationalization is enabled

default_locale

Default locale for the realm

password_policy

Password policy configuration

otp_policy_type

OTP policy type

otp_policy_algorithm

OTP policy algorithm

otp_policy_initial_counter

OTP policy initial counter

otp_policy_digits

Number of digits in OTP

otp_policy_look_ahead_window

OTP policy look ahead window

otp_policy_period

OTP policy period

otp_policy_code_reusable

Whether OTP codes are reusable

web_authn_policy_rp_entity_name

WebAuthn relying party entity name

web_authn_policy_rp_id

WebAuthn relying party ID

web_authn_policy_attestation_conveyance_preference

WebAuthn attestation conveyance preference

web_authn_policy_authenticator_attachment

WebAuthn authenticator attachment

web_authn_policy_require_resident_key

Whether WebAuthn requires resident key

web_authn_policy_user_verification_requirement

WebAuthn user verification requirement

web_authn_policy_create_timeout

WebAuthn create timeout

web_authn_policy_avoid_same_authenticator_register

Whether to avoid same authenticator registration

web_authn_policy_passwordless_rp_entity_name

WebAuthn passwordless relying party entity name

web_authn_policy_passwordless_rp_id

WebAuthn passwordless relying party ID

web_authn_policy_passwordless_attestation_conveyance_preference

WebAuthn passwordless attestation conveyance preference

web_authn_policy_passwordless_authenticator_attachment

WebAuthn passwordless authenticator attachment

web_authn_policy_passwordless_require_resident_key

Whether WebAuthn passwordless requires resident key

web_authn_policy_passwordless_user_verification_requirement

WebAuthn passwordless user verification requirement

web_authn_policy_passwordless_create_timeout

WebAuthn passwordless create timeout

web_authn_policy_passwordless_avoid_same_authenticator_register

Whether to avoid same authenticator registration for passwordless

keycloak_version

Version of Keycloak

user_managed_access_allowed

Whether user managed access is allowed

organizations_enabled

Whether organizations are enabled

verifiable_credentials_enabled

Whether verifiable credentials are enabled

admin_permissions_enabled

Whether admin permissions are enabled

social

Social login configuration

update_profile_on_initial_social_login

Whether to update profile on initial social login

o_auth2_device_code_lifespan

OAuth2 device code lifespan

o_auth2_device_polling_interval

OAuth2 device polling interval

bruteForceStrategy

Brute force protection strategy

default_role_id

ID of the default role

Relationships

  • KeycloakRealm is the parent container for other Keycloak entities

    (:KeycloakRealm)<-[:RESOURCE]-(
    :KeycloakClient,
    :KeycloakGroup,
    :KeycloakUser,
    :KeycloakRole,
    :KeycloakScope,
    :KeycloakIdentityProvider,
)

KeycloakClient

Represents a Keycloak client application that can request authentication and authorization services from the realm.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the client

client_id

The client identifier used in protocols

name

The name of the client

description

The description of the client

type

The type of the client

root_url

The root URL of the client

admin_url

The admin URL of the client

base_url

The base URL of the client

surrogate_auth_required

Whether surrogate authentication is required

enabled

Whether the client is enabled

always_display_in_console

Whether to always display in console

client_authenticator_type

The client authenticator type

registration_access_token

Registration access token

not_before

Not before timestamp for security

bearer_only

Whether this is a bearer-only client

consent_required

Whether user consent is required

standard_flow_enabled

Whether standard flow is enabled

implicit_flow_enabled

Whether implicit flow is enabled

direct_access_grants_enabled

Whether direct access grants are enabled

service_accounts_enabled

Whether service accounts are enabled

authorization_services_enabled

Whether authorization services are enabled

direct_grants_only

Whether only direct grants are allowed

public_client

Whether this is a public client

frontchannel_logout

Whether frontchannel logout is enabled

protocol

The protocol used by the client

full_scope_allowed

Whether full scope is allowed

node_re_registration_timeout

Node re-registration timeout

client_template

Client template reference

use_template_config

Whether to use template config

use_template_scope

Whether to use template scope

use_template_mappers

Whether to use template mappers

origin

Origin of the client

Relationships

  • KeycloakClient belongs to a KeycloakRealm

    (:KeycloakClient)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakClient has default and optional scopes

    (:KeycloakClient)-[:HAS_DEFAULT_SCOPE]->(:KeycloakScope)
(:KeycloakClient)-[:HAS_OPTIONAL_SCOPE]->(:KeycloakScope)

  • KeycloackClient can have service account

    (:KeycloakClient)-[:HAS_SERVICE_ACCOUNT]->(:KeycloakUser)

  • KeycloakClient uses Authentication flows

    (:KeycloakClient)-[:USES]->(:KeycloakAuthenticationFlow)

KeycloakGroup

Represents a group of users in Keycloak that can be used for organizing users and assigning roles.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the group

name

The name of the group

description

The description of the group

path

The hierarchical path of the group

Relationships

  • KeycloakGroup belongs to a KeycloakRealm

    (:KeycloakGroup)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakGroup can be a member of another group (hierarchical structure)

    (:KeycloakGroup)-[:SUBGROUP_OF]->(:KeycloakGroup)

  • KeycloakUser can be a member of groups

    (:KeycloakUser)-[:MEMBER_OF]->(:KeycloakGroup)

  • KeycloakUser can be an inherited member of groups (drawn by analysis job)

    (:KeycloakUser)-[:INHERITED_MEMBER_OF]->(:KeycloakGroup)

  • KeycloakGroup can grant roles

    (:KeycloakGroup)-[:GRANTS]->(:KeycloakRole)

KeycloakUser

Represents a user in the Keycloak realm with authentication and profile information.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the user

username

The username for authentication

first_name

The first name of the user

last_name

The last name of the user

email

The email address of the user

email_verified

Whether the email address is verified

self

Self reference field

origin

Origin of the user account

created_timestamp

Timestamp when the user was created

enabled

Whether the user account is enabled

totp

Whether TOTP is enabled for the user

federation_link

Federation link information

service_account_client_id

Client ID if this is a service account

not_before

Not before timestamp for security

user_profile_metadata_id

User profile metadata reference

credentials_id

Credentials reference

federated_identities_id

Federated identities reference

client_consents_id

Client consents reference

social_links_id

Social links reference

Relationships

  • KeycloakUser belongs to a KeycloakRealm

    (:KeycloakUser)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakUser can be a member of groups

    (:KeycloakUser)-[:MEMBER_OF]->(:KeycloakGroup)

  • KeycloakUser can be an inherited member of groups (drawn by analysis job)

    (:KeycloakUser)-[:INHERITED_MEMBER_OF]->(:KeycloakGroup)

  • KeycloakUser can have identity providers

    (:KeycloakUser)-[:HAS_IDENTITY]->(:KeycloakIdentityProvider)

  • KeycloakUser can assume Role (this can be direct definition or inherited from groups)

    (:KeycloakUser)-[:ASSUME_ROLE]->(:KeycloakRole)

  • KeycloakUser can assume Scope (drawn by analysis job)

    (:KeycloakUser)-[:ASSUME_SCOPE]->(:KeycloakScope)

  • KeycloackClient can have service account

    (:KeycloakClient)-[:HAS_SERVICE_ACCOUNT]->(:KeycloakUser)

KeycloakRole

Represents a role in Keycloak that defines permissions and can be assigned to users or groups.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the role

name

The name of the role (indexed for queries)

description

The description of the role

scope_param_required

Whether scope parameter is required

composite

Whether this is a composite role

client_role

Whether this is a client-specific role

container_id

The container ID (realm or client)

realm

The realm name for role lookup (indexed)

Relationships

  • KeycloakRole belongs to a KeycloakRealm

    (:KeycloakRole)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakRole can be defined by a client

    (:KeycloakClient)-[:DEFINES]->(:KeycloakRole)

  • KeycloakGroup can grant roles

    (:KeycloakGroup)-[:GRANTS]->(:KeycloakRole)

  • KeycloakRole can grant scopes

    (:KeycloakRole)-[:GRANTS]->(:KeycloakScope)

  • KeycloakRole can includes an other Role (composite roles)

    (:KeycloakRole)-[:INCLUDES]->(:KeycloakRole)

  • KeycloakUser can assume Role (this can be direct definition or inherited from groups)

    (:KeycloakUser)-[:ASSUME_ROLE]->(:KeycloakRole)

KeycloakScope

Represents a client scope in Keycloak that defines what access is requested or granted.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the scope

name

The name of the scope (indexed for queries)

description

The description of the scope

protocol

The protocol associated with the scope

include_in_token_scope

Whether to include in token scope

display_on_consent_screen

Whether to display on consent screen

realm

The realm name for scope lookup (indexed)

Relationships

  • KeycloakScope belongs to a KeycloakRealm

    (:KeycloakScope)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakClient has default and optional scopes

    (:KeycloakClient)-[:HAS_DEFAULT_SCOPE]->(:KeycloakScope)
(:KeycloakClient)-[:HAS_OPTIONAL_SCOPE]->(:KeycloakScope)

  • KeycloakScope can be granted by roles

    (:KeycloakRole)-[:GRANTS]->(:KeycloakScope)

  • KeycloakUser can assume Scope (drawn by analysis job)

    (:KeycloakUser)-[:ASSUME_SCOPE]->(:KeycloakScope)

KeycloakIdentityProvider

Represents an external identity provider configured in Keycloak for federated authentication.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The internal unique identifier

alias

The alias of the identity provider (indexed for queries)

display_name

The display name of the identity provider

provider_id

The provider type identifier

enabled

Whether the identity provider is enabled

update_profile_first_login_mode

Profile update mode on first login

trust_email

Whether to trust email from the provider

store_token

Whether to store tokens from the provider

add_read_token_role_on_create

Whether to add read token role on create

authenticate_by_default

Whether to authenticate by default

link_only

Whether this provider is for linking only

hide_on_login

Whether to hide on login page

first_broker_login_flow_alias

First broker login flow alias

post_broker_login_flow_alias

Post broker login flow alias

organization_id

Organization ID if applicable

update_profile_first_login

Whether to update profile on first login

config_sync_mode

Configuration sync mode

Relationships

  • KeycloakIdentityProvider belongs to a KeycloakRealm

    (:KeycloakIdentityProvider)<<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakUser can have identity providers

    (:KeycloakUser)-[:HAS_IDENTITY]->(:KeycloakIdentityProvider)

KeycloakOrganization

Represents a Keycloak organization, which is a logical grouping of users, domains, and identity providers within a realm. Organizations provide a way to isolate and manage different business entities or departments within the same Keycloak realm.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the organization

name

The name of the organization

alias

The alias of the organization

enabled

Whether the organization is enabled

description

The description of the organization

redirect_url

The redirect URL for the organization

Relationships

  • KeycloakOrganization belongs to a KeycloakRealm

    (:KeycloakOrganization)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakOrganization can have managed and unmanaged user members

    (:KeycloakUser)<-[:MANAGED_MEMBER_OF]-(:KeycloakOrganization)
(:KeycloakUser)<-[:UNMANAGED_MEMBER_OF]-(:KeycloakOrganization)

  • KeycloakOrganization can enforce identity providers

    (:KeycloakOrganization)-[:ENFORCES]->(:KeycloakIdentityProvider)

KeycloakOrganizationDomain

Represents a domain that belongs to a Keycloak organization. Organization domains define which email domains are associated with an organization, and can be verified to ensure proper domain ownership.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the organization domain

name

The domain name (indexed for queries)

verified

Whether the domain has been verified

Relationships

  • KeycloakOrganizationDomain is a sub resource of a KeycloakRealm

    (:KeycloakOrganizationDomain)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakOrganizationDomain belongs to an organization

    (:KeycloakOrganizationDomain)-[:BELONGS_TO]->(:KeycloakOrganization)

KeycloakAuthenticationFlow

Represents an authentication flow in Keycloak that defines the sequence of authentication steps and requirements for user authentication. Authentication flows control how users authenticate to the realm and can include various authentication mechanisms and requirements.

Important

Only root flows are modeled as a KeycloakAuthenticationFlow. In Keycloak, there’s also the concept of a subflow, which is tied one-to-one to an Execution. For simplicity in Cartography, these subflows are represented solely by a KeycloakAuthenticationExecution node. However, the subflow ID is still preserved as a field on the node.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the authentication flow

alias

The alias of the authentication flow (indexed for queries)

description

The description of the authentication flow

provider_id

The provider identifier for the authentication flow

top_level

Whether this is a top-level authentication flow

built_in

Whether this is a built-in authentication flow

realm

The realm name for flow lookup (indexed)

Relationships

  • KeycloakAuthenticationFlow belongs to a KeycloakRealm

    (:KeycloakAuthenticationFlow)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakAuthenticationFlow has authentication execution steps

    (:KeycloakAuthenticationFlow)-[:HAS_STEP]->(:KeycloakAuthenticationExecution)

  • KeycloakAuthenticationFlow is the starting point of an autentication flow

    (:KeycloakAuthenticationFlow)-[:NEXT_STEP]->(:KeycloakAuthenticationExecution)

  • KeycloakClient uses KeycloakAuthenticationFlow

    (:KeycloakClient)-[:USES]->(:KeycloakAuthenticationFlow)

Important

Cartography uses two distinct relationship types between Flows and Executions:

  • HAS_STEP is used to describe the composition as defined in Keycloak (e.g., a subflow will be linked to its two REQUIRED executions).

  • NEXT_STEP is used to describe the possible authentication flows. These are relationships inferred by Cartography (e.g., the subflow will only be connected to the first REQUIRED execution, which will in turn be connected to the third).

        graph LR
F(KeycloakAuthenticationFlow) -- HAS_STEP --> E1(KeycloakAuthetiationExecution::REQUIRED_1)
F -- HAS_STEP --> E2(KeycloakAuthetiationExecution::REQUIRED_2)
F == NEXT_STEP ==> E1 == NEXT_STEP ==> E2

KeycloakAuthenticationExecution

Represents an individual authentication execution step within a Keycloak authentication flow. Authentication executions define specific authentication mechanisms, requirements, and their order within an authentication flow.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the authentication execution

display_name

The display name of the authentication execution

requirement

The requirement level (REQUIRED, OPTIONAL, ALTERNATIVE, DISABLED)

description

The description of the authentication execution

configurable

Whether this execution is configurable

authentication_flow

Whether this execution references an authentication flow

provider_id

The provider identifier for the authentication execution

flow_id

The flow identifier if this execution references a flow

level

The nesting level of the execution

index

The index position within the flow

priority

The priority order of the execution

is_terminal_step

Flag to indicate if the Execution can be a terminal step in the workflow execution (this is infered by Cartography)

Relationships

  • KeycloakAuthenticationExecution belongs to a KeycloakRealm

    (:KeycloakAuthenticationExecution)<-[:RESOURCE]-(:KeycloakRealm)

  • KeycloakAuthenticationExecution is a part of an KeycloakAuthenticationFlow

    (:KeycloakAuthenticationFlow)-[:HAS_STEP]->(:KeycloakAuthenticationExecution)

  • KeycloakAuthenticationExecution can have sub-executions (for sub flows)

    (:KeycloakAuthenticationExecution)-[:HAS_STEP]->(:KeycloakAuthenticationExecution)

  • KeycloakAuthenticationExecution is an element of an autentication flow

    (:KeycloakAuthenticationExecution|KeycloakAuthenticationFlow)-[:NEXT_STEP]->(:KeycloakAuthenticationExecution)