Using Keycloak with several OIDC providers and several authorization services


I’m sorry if these questions can be answered by existing posts - if so I lack the knowledge to recognize it.

I’m investigating if we can use Keycloak as a central IAM service for our use case. Below I have some assumptions/questions on how Keycloak works:

  • We are integrating with a few external OIDC providers, and would like Keycloak to be a consolidated entry point for these, providing one OIDC service to our internal services. Is this possible?

  • I need to connect to LDAP/AD (or Kerberos?) in order to have multilevel/tree-like authorization schemas - the authorization within Keycloak is restricted to roles and groups, which have only one level.

  • Ideally, our services will have their own authorization schema, share with other services, or a combination of these. I understand that if we create a realm for each service, they can connect to separate (and even several) LDAP services, but only one (the first matching on CN) will be considered and applied. Is there a way around this?

  • One of the services we’re running has its own internal authorization schema that I’d like to “extract”. The solution would be to have some sort of service/adapter to send REST requests to our service, propagating changes done to the authorization schema. If we are using LDAP with sync on, can this be done through Keycloak using a kind of SPI?

Does anyone have any input or corrections here?