[keycloak-user] Integration with legacy systems

[Marcelo Nardelli]

Hello,

We recently started using Keycloak in our organization but we are not sure
which approach would be best to use when there are some user permissions
that rely on information managed by other systems (legacy systems that we
have).

In our specific case, we have the following setup:

- A Keycloak server integrated with LDAP to retrieve users
- A Java backend protected by Bearer Token
- A Javascript frontend developed in EmberJS that accesses the Java backend

One of the requirements we have is the following:

- Users who have a certain managerial position must have a common set of
permissions.

To meet this requirement, we created a group, included the relevant users,
and assigned the appropriate permissions (roles) to the group. This works
fine for us.

However, we have a legacy system that manages the positions that a user
assumes in the organization, so that a user who today holds a management
position may no longer have that position tomorrow in the legacy system.
When he loses the management position, someone needs to be warned and
manually remove the user from the Keycloak group.

Ideally, we would like this process not to be so manual. Which approaches
would be recommended for this situation?

- Make the legacy system somehow access Keycloak to remove users from the
group when needed
- Make our application query the legacy system to verify that the
permissions that are on the token are appropriate for the user's current
position
- Change the keycloak in some way to query the legacy system and determine
based on this information whether the user should receive the permissions

Thanks for the attention

Marcelo Nardelli