Complex Keycloak Customization


I currently have multiple organically grown services holding different types of user profile data, each with its own authentication system. Some of this data is currently being synced in an N times M fashion between services if service A needs some user attributes from B (possibly for an authorization decision).

The decision was made to remove all authentication and authorization concerns from these services and introduce centralized IAM. This means I need to aggregate data from all existing services into custom user attributes, groups, custom group attributes, roles, and memberships… Clients would then be able to access the required user data using OIDC instead of consulting multiple other systems.

Additionally, I need to handle partial user profiles gracefully. Customers of only A would register using form A. If they ever use B, they would need to somehow provide the missing B-data.

  • How should I go about this? Is this essentially one huge Storage SPI provider which consults all sources of data? Is there a better way?

  • Can this handling of partial profile data be implemented with multiple self-registration forms, login forms, and custom flows?

I am a reasonably experienced Java developer, but unfortunately a bleeding Keycloak novice. I’m hoping for an expert’s opinion and maybe a few pointers.