We are building Keymate, a next-generation identity and access management (IAM) platform designed for modern API security, fine-grained authorization, and enterprise-scale governance.

As part of our journey, we are seeking a Senior Keycloak Specialist to lead the customization, integration, and extension of Keycloak in highly secure, multi-tenant, and dynamic access control environments.

You'll be responsible for advanced Keycloak engineering—including SPI development, custom authenticators, token exchange, impersonation flows, ReBAC integration, and Kubernetes-native deployment models.

To maintain our global agility, this role is opened as a B2B / Independent Contractor position. This allows us to work with the best talent regardless of their local labor laws, offering you a competitive international rate and the flexibility to manage your own workspace.

What You'll Do

• Extend and customize Keycloak to enable complex IAM scenarios
• Implement custom authenticators, token mappers, and SPI-based extensions
• Design impersonation, delegation, and just-in-time role elevation flows
• Integrate external IdPs using SAML2, OIDC, and legacy federation bridges
• Collaborate with FGAC (Fine-Grained Access Control) and OpenFGA teams to support ReBAC models
• Enable secure multi-tenant login and session isolation for B2B/B2C use cases
• Work closely with our API Gateway, OpenMetadata, and EventHub teams to deliver metadata-aware access decisions
• Deploy and operate Keycloak in Kubernetes-based HA architectures
• Improve observability and performance using OpenTelemetry, Kafka, and structured logs

What We're Looking For

• 5+ years of hands-on experience with Keycloak, including internals
• Proficiency in OAuth2, OIDC, SAML2, and token exchange mechanisms
• Strong Java developer with experience in Quarkus is a plus
• SPI development: authenticators, token mappers, event listeners, protocol mappers
• Experience with high-traffic, production-grade deployments
• Kubernetes, Helm, and GitOps-friendly practices
• Understanding of delegation, impersonation, multi-session login, and token binding strategies
• Familiarity with gRPC APIs, Kafka, Audit Logging, and OpenTelemetry-based observability

Nice to Have

• Knowledge of OpenFGA, ReBAC models, or FGAC enforcement via API gateways
• Experience integrating Keycloak with external metadata systems (like OpenMetadata)
• Awareness of privacy-first design and compliance standards (GDPR/KVKK)
• Familiarity with log streaming, policy insights, and runtime decision auditing

What We Offer

• A chance to build one of the most advanced IAM products in the market
• Deep technical collaboration with experts in IAM, API security, and policy engines
• Fully remote work environment with async-friendly culture
• Opportunity to lead the IAM foundation of a fast-scaling engineering team

Note: This position requires deep engineering involvement in Keycloak—not just using it as an admin. If you're excited about extending Keycloak for complex enterprise IAM needs, we want to meet you.