Integrating user entitlements from proprietary dynamic data source

Good morning…

I have a problem that I am trying to solve, and would like some advice on how
to proceed. Our current Keycloak implementation details:

  • Keycloak 14
  • Working authentication flow that uses an external identity provider (LDAP)
  • Provides an OIDC token with attributes mapped from LDAP

What we want to accomplish is the retrieval of entitlements that are maintained
in a separate, non-LDAP data store, and mapping those entitlements to one or more
attributes on a Keycloak user. We would want for this to happen when a user is
authenticated by Keycloak, and for updates to those attributes to occur periodically
because the entitlements can change over time with adds, updates and deletes.
Our preference would be for the periodic updates to occur only for “active” users
(i.e. those users who have active tokens or have been authenticated within a
certain period of time like the last week), rather than every local user.

In looking through the documentation, it seems like the best way to obtain user
attributes, memberships, etc. from a proprietary data store would be to implement
a User Storage Provider, and that implementing the ImportSynchronization interface
on the provider factory would get us the periodic updates. But I’m still not 100%
clear from the documentation and source code if this is the right approach.

So my question is, is the User Storage Provider and ImportSynchronization
approach the right path for what we’re looking to accomplish, especially since we’re
dealing with proprietary dynamic data sources? Or am I missing something that is
simpler, or perhaps better suited to the problem at hand?

All questions and critiques welcome - and thank you very much in advance!


That is one way, but you can also write an extension that adds claims to a token with the result of calling an external service. There is one such PoC here GitHub - bcgov/moh-external-api-protocol-mapper: Keycloak OIDC protocol mapper demo. and an article about that approach here Adding an ‘external API call’ attribute to JWT Token in Keycloak | by Rafael Faita | Javarevisited | Medium