I am trying to use Keycloak as centralised authentication system which will have multiple systems as clients in a given realm.
I have imported users from multiple systems (clients) into keycloak i.e users are already created in keycloak but there passwords resides in external database (cant import the passwords as they are hashed passwords and i cant force users to reset the passwords)
Some users will have passwords stored in keycloak (New users) and some users will have there passwords in external database. (I can differentiate the old as well as new users in the system)
I want to implement the authentication flow in such a way that when a user tries to login using username and password then the password will be first mathed with keyckoak database and if it does not match then the password should be checked in the external database.
I am using keycloak for the first time and not sure how i can achieve this (I guess i will need to write some custom SPI) but I am not sure which interface i could use