Identity and Access Management (IAM) systems such as Keycloak record authentication and authorization events, yet their audit logs are not verifiable by end users. We present a Keycloak extension that integrates Merkle-tree commitments into the event pipeline, producing salted receipts grouped into hourly batches and published via a REST API. A lightweight toolset enables batch verification, inclusion proofs, and tamper detection, while signed commitments strengthen trust against server-side rewriting. Evaluation on real event data shows the system detects even minimal modifications and history inconsistencies. Overall, Merkle-based commitments provide an efficient, transparent, and tamper-evident audit mechanism that enhances user-centric access control.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Enhancing Keycloak with Verifiable Audit Trails for Identity and Access Management - A Merkle Tree Approach

  • Ştefania Ştefănescu,
  • Mirabela Medvei

摘要

Identity and Access Management (IAM) systems such as Keycloak record authentication and authorization events, yet their audit logs are not verifiable by end users. We present a Keycloak extension that integrates Merkle-tree commitments into the event pipeline, producing salted receipts grouped into hourly batches and published via a REST API. A lightweight toolset enables batch verification, inclusion proofs, and tamper detection, while signed commitments strengthen trust against server-side rewriting. Evaluation on real event data shows the system detects even minimal modifications and history inconsistencies. Overall, Merkle-based commitments provide an efficient, transparent, and tamper-evident audit mechanism that enhances user-centric access control.