@dominiktopp Thank you very much for your answer.
(alpha, test and production all use the same Keycloak istance? Sounds quite riskfull)
It’s like that, yes. The problem is that I have to find the actual user session, some discussion going on here: Getting UserSessionNotes returns null, while data persist
Furthermore, I have to get used to Java and the entire KeyCloak workflows. May be that my approach, implementing a User Storage Provider, is not the best way to solve that. Custom Authenticator may be the more suitable solution.