I’ve been designing web applications for a very long time. I’ve implemented OIDC and LDAP before (and many times). It’s been drawn to my attention that all of this should have been handled by an IDP which would likely do it better and be more secure.
This is not a complex question, but I can’t find anyone answering it: where is the line between an IDP and a web application?
Should all of the profile information be stored in the IDP? What about transient state information that relates to a user, like last geographical coordinates that a client connected with? I’m curious to know if the Keycloak community has a consensus about this or has a guiding principal to divide between your application profile and your IDP? What about social links? etc?
Should all of the profile information be stored in the IDP?
Short answer: No.
Only information relevant to your identity use cases should be stored, and each identity attribute managed within the Access Manager solution should have a clear justification. If you’re using a full-featured IAM solution - including an Identity Management (IDM) module, which Keycloak does not provide - it becomes easier to enrich and maintain identity data across connected applications through the use of identity connectors.
Additionally, identity is often tied to contextual signals such as device, location, and behavior. These signals are typically leveraged to support adaptive authentication and fine-grained authorization decisions.
1 Like
do you have an open source example of this I can look at to learn more about the distinction between an IDM and an IAM. Keycloak has prpoerties in the back, and I believe iodc can provide any amount of information about a user. Is there ever a point you would not keep that information in Keycloak?