I have a google cloud instance with Keycloak installed on it. Keycloak is connected to an external database that contains its tables. I use Keycloak for SSO on multiple applications. Each application has different business logic. In simple words, they’re completely separate.

My problem is that I don’t know what is the best practice for connecting users of the Keycloak database to the database of each app. Should I replicate users in each app, or it’s enough to create rows based on the user ids comes from Keycloak tokens.

In normal behavior, we would have a primary/foreign key relationship between the users table and for example the orders table. But now the users table is in a totally different database. So, what is the correct way to save my data in each app and keep them related to my users in keycloak.

It is a common practice to use the user id/sub that comes back in the token from Keycloak. It’s not strictly a “foreign key relationship”, because it is not enforced as such by the database, but I have seen this in many use cases.

What about each app database. Should I create a user table to store user ids for Hibernate and ORM?

That’s up to you. If you had a table in your app databases that was simply the Keycloak user uuid, that would allow you to enforce a local foreign key constraint in that database.