I am looking to synchronize users and their assigned roles between Keycloak and my application.
For this functionality, i was able to find the Event SPI, and create my own customer listener. By listening to Admin events for User/Roles assignments, my listener can fire off events to my application to mimic the behavior.
However, I’ve noticed when users are added to Keycloak through other sources (a Federated Source such as LDAP, or an Identity Provider), this does not fire off the same event, making it impossible for the Event SPI to pick up the action.
Is this the intended behavior? Is the Event SPI limited to actions performed manually in the admin console, or through a direct web call to Keycloak?
I understand that another option available is to extend existing Identity/Federated Providers to intercept the message there, but my concern is that would then ignore any changes made afterwords in Keycloak itself, unless i combine it with the Event SPI.
Is there any other functionality in Keycloak to help perform this task?