With SSO (like for example Keycloak), how does one handle/synchronise users in own databases?

Question

Consider the following scenario: you have a SSO service (let's say Keycloak), and X applications, that have their own databases, where somewhere in each database, you're referencing a user_id. How to handle this? How to satisfy the foreign constrain problem? Should one synchronise Keycloak, and the applications? How? What are some best practices? What are some experiences?

Answer 1

I've been using Keycloak for several years, and in my experience there are several scenarios regarding synchronizing user data between Keycloak and your application's database :

Your application is the owner of the user data.

Keycloak is only used for authentication/authorization purposes. In this scenario, your application creates/updates a keycloak user using the admin rest API when needed.

Keycloak is the owner of the user data and you don't need more info than the userid in your database.

In this scenario everything regarding users could be managed by Keycloak (registration, user account parameters, even resource sharing using the authorization services). Users would be referenced by userid in the database when needed.

NB: You can easily add custom data to the user in Keycloak using the user attributes but one interesting possibility is to extend the user model directly using this : https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa

Keycloak is the owner of the user data and you need more than just the user id (email, firstname, etc)

If performance is not an issue, you could retrieve user info via the Admin Rest API when needed.

If performance is an issue you'll need a copy of Keycloak's user data in your app's database, and you would want that copy to be updated on every user changes. To do that you could implement callbacks in keycloak (using SPIs: https://www.keycloak.org/docs/latest/server_development/index.html#_events), that will notify your application when an user is created/updated.

NB : You could also use a Change Data Capture tools (like Debezium: https://debezium.io/) to synchronize Keycloak's database with yours.

There's pros and cons to each scenario, you'll have to choose the one which better suits your needs :)