Defining custom OIDC provider with delegating authentication to another OIDC provider and using own authorization database

Hi,
I wanted to ask about your ideas on how to solve the problem that I have to solve in my application (App1). Is it possible to use Keyclock for such requirement?

This is the classic Fronted + Backend (Angular + Java EE) application to which I am currently adding authentication and authorization. However, the matter does not seem to be simple for several reasons. First, there are different kinds of customers who will use this application:

  1. end-user using GUI (Angular calls the Backend API)
  2. end-users using direct backend API
  3. another system calling the API backend

In addition, I have an OIDC provider (OIDC_Organization) available in my organization - unfortunately it can only authenticate users. Does not return any information about roles. And my application also needs information about which roles belong to the logged in user. For this reason, I would like to build my own OIDC system (OIDC_Internal), which would delegate authentication to an existing system (OIDC_Organization) in the organization. And from the database I manage (Permission_DB) it would read user permissions / roles. I would return such combined information (id user + role) in new OAuth token(s) to my application. However, I would not like to implement from scratch the entire OIDC system (OIDC_Internal). There must be for sure best options for this. The another problem is also that I can’t put any technical users in OIDC_Organization. Only real users are there. So for option (1) and (2) I can use OIDC_Organization but for option (3) I need to have a user account in a different place (e.g. in the authorization database that I have -> Permission_DB).

Below is the diagram (Image-1) that seems necessary to ensure security for my application. I assume that Authorization Code Flow will be used for the communication of App1-> OIDC_Internal and OIDC_Internal-> OIDC_Organization.

On the Image-2 I draw user’s technical connection (ApiCli) to the system (I assume, the Credential Grant Flow will be used here.)

I was thinking about using Keyclock as a kind of proxy-provider but I don’t know if this solution is even possible to implement. For example I don’t want to show Keyclock’s login page - the login page provided by OIDC_Organization would be sufficient. Maybe would you suggest writing your own solution using some Oauth / OIDC / JWT support libraries?

I would be very grateful for any ideas.
Best Regards,
Peter

IMHO https://www.keycloak.org/docs/latest/server_admin/#_identity_broker will solve your use case.