How can I correctly invoke a specific User Storage SPI based on OIDC clientId (or other parameter)?

QUESTION: How can I correctly invoke a specific User Storage SPI in OIDC authentication flow, given that we have multiple User Storage SPIs and need to select a particular one based on the current OIDC client’s clientId (or another parameter)?

Specific example (using keycloak 24.0.3):

At the moment, there are two implemented user storage providers: AlphaUSP and BravoUSP. For OIDC clients with clientId = ‘bravo’, I want to add custom logic for the getUserByUsername(RealmModel realmModel, String userName) method. The logic is as follows: if the user is not found in the internal Keycloak DB, the user is fetched from an external service by making a REST API call. Therefore, I implement this logic in the getUserByUsername() method of BravoUSP.

An IMPORTANT nuance is that I want this logic to be executed ONLY for clients with clientId = “bravo”, and I don’t want the getUserByUsername() method in AlphaUSP to be executed if the user is not found by BravoUSP.

We plan to achieve this by using the following workaround:

In BravoUSP:

getUserByUsername(...) {
    if (!"bravo".equals(Optional.ofNullable(keycloakSession.getContext().getClient()).map(ClientModel::getClientId).orElse(null))) {
        return null;
    }
    return getUserFromExternalAPI(...);
}

In AlphaUSP:

getUserByUsername(...) {
    if (!"alpha".equals(Optional.ofNullable(keycloakSession.getContext().getClient()).map(ClientModel::getClientId).orElse(null))) {
        return null;
    }
    return findUser(...);
}

Is this workaround a good approach (returning null for alien clientIds)? If not, please advise on a better solution.

The UserStorageSPI is not designed to support such a use case. If you really want to get annoyed, you‘ll habe to go with lots of ugly code in user storage and authenticators. Good luck.