Update user logging in via IDP in user federation provider

I’d like to update a user in a custom user federation provider when they log in via Keycloak OIDC IDP.

For attributes like first name, last name etc. it already works with IDP mappers of type “Attribute Importer”. But I need to do something specific to update the user.

I’m currently thinking about extending Keycloak OIDC IDP, overriding its updateBrokeredUser method and calling a method in the custom user federation provider with the help of UserStorageManager.getEnabledStorageProviders.

Isn’t there a simpler way, similar to implementing UserRegistrationProvider for adding and removing users?

Well at least I’d like to contribute what I did now:

  1. Add an interface UserUpdateProvider with one method #updateUser(RealmModel, UserModel) and implement it in the user federation provider

  2. Extend KeycloakOIDCIdentityProvider and override #updateBrokeredUser

  3. Set firstname, lastname, email and attributes, saving me from creating IDP mappers for this

  4. Call #updateUser of all user federation providers that implement UserUpdateProvider:

     final List<UserUpdateProvider> storageProviders = UserStorageManager.getEnabledStorageProviders(session, realm, UserUpdateProvider.class);
     for (final UserUpdateProvider updateProvider : storageProviders) {
         updateProvider.updateUser(realm, user);
  5. Besides doing all the SPI stuff, copy realm-identity-provider-my-oidc.html to /opt/jboss/keycloak/themes/base/admin/resources/partials/ to solve Resource not found….

While this works fine, I am still wondering if there is a simpler way, maybe with a custom IDP mapper? Also what I am not too happy about is using a private SPI and the respective warning in the logs… but since it doesn’t seem to be so uncommon to extend IDPs I think we can live with it.