Getting data from keycloak

Hi! What is the best practice for getting information about all users?

I am creating an SPA (Spring + React) using keycloak (for now communication between FE <-> keycloak, FE <-> BE is held via Open ID implicit flow). I decided to store all information about User with custom attributes in keycloak and in my own database information about Vacancy with One-to-Many relationship (one user can post many vacancies).

When unauthorized user open our application, we should list all vacancies (authorized users also able to create vacancy) with information about other users, so to do that I thought about 3 options:

  1. Create special user in keycloak with “view-users” role for Backend, so it could go to keycloak and get all info. (could there be any security/ performance drawbacks?)
  2. Duplicate user table in my DB and insert user information each time someone creates new vacancy (have to always synchronize my table with keycloak one)
  3. Implement custom keycloak User Storage Provider, but, as I saw in admin console, there is no “readonly-property file” option in “User Federation” section in latest keycloak versions.

So, what should I do? looking forward to get any advice. Thank you in advance!

It depends on how much information about the user your application needs and how frequently. Firstly, in Keycloak you should only keep user profile details and not application specific data about users.

When listing vacancies do you need any information about the users? If so what information do you need?

Yes, when listing vacancies I need to provide to non-authorized user information about who posted vacancy, so they could connect with him (this include full name, e-mail, phone number as custom attribute).

What I’d do in that case is to keep a copy of the required attributes in the app database, then sync it. Easiest way to sync would be to update is to update the attributes in the app database if they’ve changed when the user logs in (basically just compare values from ID token with values in the app database).

You can also use a custom event listener to push changes to your app database. In the future we are aiming to have a better user event listener, including support for making REST calls, but that is still a while until we’ll have that.

Is this still the best practice to save the data redundant? You said that in the future REST calls will be supported do you mean the Keycloak Admin REST API? Because in my opinion saving user informations in the app db and in the keycloak db seems to me like an anti pattern?

Isn’t a better idea to get the needed keycloak user informations from the ID token, if available and if not to make REST calls with the Keycloak Admin REST API?