Enhancing Keycloak with Verifiable Audit Trails for Identity and Access Management - A Merkle Tree Approach
摘要
Identity and Access Management (IAM) systems such as Keycloak record authentication and authorization events, yet their audit logs are not verifiable by end users. We present a Keycloak extension that integrates Merkle-tree commitments into the event pipeline, producing salted receipts grouped into hourly batches and published via a REST API. A lightweight toolset enables batch verification, inclusion proofs, and tamper detection, while signed commitments strengthen trust against server-side rewriting. Evaluation on real event data shows the system detects even minimal modifications and history inconsistencies. Overall, Merkle-based commitments provide an efficient, transparent, and tamper-evident audit mechanism that enhances user-centric access control.