We do plan a migration from oauth2 server to keycloak (OIDC). User storage SPI works great and allows to easily support users in external storage and migrate them to keycloak. But existing tokens (which were issued previously by current oauth server) are still big issue. We have a lot of client applications which have refresh tokens stored on devices and we have to find a way to inject our custom validation logic while refreshing the tokens. I.e. during password refresh grant type, keycloak should use our custom logic in order to validate external refresh tokens but issue local ones.