Mapping of local keyloak user to external userId via identity broker - custom process


the following situation:

We have one application which connects to keycloak via OIDC.
There a user can select between three login variants:

  • local keycloak login (username + password),
  • OIDC login via identity broker
  • SAML login via identity broker

To login via the OIDC login, the user needs to have set the ID from the external system as a custom field so that during the login, the local user in keycloak can be mapped to it.

The question:
How can we implement the OIDC mapping process for a local user started from the application?

The process should be like:

  • login in keycloak locally
  • trigger the OIDC login where the user needs to login in the OIDC system as well
  • the response is the ID, which should be mapped to the locally signed in user
  • write the returning ID to the signed in user

any ideas?

Push - please help …

If I understand correctly you need to have a unique ID so that with the “local” keycloak user you can do Inbound SSO?

If you have an endpoint (on external service) that can provide ID for Keycloak users maybe you can call it in Event listener when Login events happen, or change login flow so that you call external service during the login. This is only to get the ID, not to log in user on external service.


Hm. How could that work?

I did it now by adding this flow in the application itself + separate OIDC client for the external service providing the ID. After that, the app writes the ID to the user in keycloak to be able to map during the next login.

This is not the best solution and I really am interested if there is a keycloak way of doing it.


Well, there could be a couple of ways, like modifying login flow to add your own executor, that will have an external call to get the ID, or you create your own User storage provider that will have an external call on the update user model. Also, you can try with an event listener but that could be expensive to have an external call there but maybe do it in an async way. i.e. custom event listener: Building an Event Listener SPI (Plugin) for KeyCloak - DEV Community

the workflow is like this:
user signs in in keycloak via OIDC client (triggered by app)
user is signed-in
user wants to bind another login method for himself
user starts login-flow from the external system during he is signed in in the app and keycloak (otherwise the mapping can not happen)
the ID will be received from app/ keycloak after a successful login in the external system.

As we are already signed-in in keycloak, is it still possible to use the executor? storage provider?
We must run the OIDC process with the external system to get the ID. We can not access the database e.g…

Do you have any code samples?