tl;dr; Is it possible and not ill-minded to build over the Keycloak server core libraries instead of using it “as-is” and extending with SPIs?
We have an inhouse server running OAuth-related services and acting as main authorisation and authentication point in our infrastructure. It’s working constantly under heavy load (20k+ RPS) and handles some additional custom flows apart from RFC compatible ones. We were happily using Spring Security OAuth, but now that it is reaching its EOL we are researching migration possibilities to tackle our use case.
I’m researching usage of Keycloak not as a whole, standalone product, but as the main building block for creating our server that will suit our specific needs. However, I’ve encountered several problems with being able to use its core modules in an external application. While definitely extendable, I found it very hard to use its modules as dependencies and not as an “as-is” access management solution.
Has anyone tried using Keycloak as a set of external dependencies in an independent service? Can it be a plausible solution and Keycloak fully supports that idea, or is Keycloak specifically not designed for such usage? Are there any open source or production solutions that have successfully managed to build upon Keycloak in that way?
Where can I find some information for using Keycloak in such use case?