Own User Federation provider - sync users on each auth request

Dear all,

I have implemented a custom User Federation provider in Keycloak. On every auth request against Keycloak the ‘third party systems’ gets invoked to verify the login credentials of that user.
If the user is not present in Keycloak, the user gets created in Keycloak representing the user details at that time, keeping the “Federation link” to the ‘third party system’.

That means that on every next auth request for the user, only the credentials get verified against the ‘third party system’. The user details do not get synchronized again what currently leads to a problem.

Is there a way to check and synchronize the already imported user on every auth request? For example to update the details of that user. Because what currently happens is following:

  1. User deletes his account in the third party system
  2. User creates a new account with the same E-Mail address and password in the third party system but gets a new UUID.
  3. User uses different account details than before (address and so on)
  4. User gets different roles in third party system
  5. Keycloak / my customer provider just verifies if the E-Mail and password is valid, but does not update the user profile. Especially the UUID. Which leads to the problem that the keycloak user account and the third party user account diverges.

So is there a way to update the user account for each login request?
Given the example above, I would like to implement a logic to check if the E-Mail and UUID still matches. If not, delete the existing keycloak user account and perform a new import into keycloak for this user.

Is there a way to achieve that?
Currently I am implementing the following interfaces within my Keycloak customer user provider:

UserStorageProviderFactory<T>
UserStorageProvider
UserLookupProvider
CredentialInputUpdater
CredentialInputValidator 

Thanks in advance.

Set the Cache Policy to NO_CACHE in the User Federation settings for your provider in the Keycloak server. Then, it will always get fresh data from your provider every time someone logs in (or the admin pages are used)