Keto only does authorization, independent of users, devices, bots, applications, ... Basically you store your ACLs there and then ask "is _subject_ allowed to do _relation_ on _object_". All the variables are whatever you define them to be.

Check out https://github.com/ory/kratos, our identity server. Or https://github.com/ory/hydra, our OAuth2 server. All of them together can be assembled to have something like Keycloak.