[keycloak-user] KeyCloak and identity management for Java EE

Hi, We are assessing several auth/IDM/SSO solutions for our project (an enterprise Java EE application with REST services and WebSocket endpoints). Initially, we leaned towards PicketLink, but recently I've been advised several times to prefer KeyCloak instead. I'm still hesitant because PicketLink offers a concise, well-architectured, JavaEE-integrated IDM API that suits our needs perfectly. Imagine that you need to: 1) identify currently logged-in user and retrieve his common attributes (like name, email, photo etc.); 2) determine the user's roles and groups; 3) enumerate users of any given role/group, or perform more sophisticated user search. With PicketLink, all the above is done quite straightforward, using Identity/IdentityManager/PartitionManager/RelationshipManager classes. Yet, I didn't figure out how to implement the same with KeyCloak. Any help appreciated. Thanks!