Hello Reed,
as you already wrote, you can write a federation provider that queries your
backend service via REST for user data.
Within the federation provider you can then import the user data
returned from the REST call.
This would work as follows - within the method:
org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String)
you call your backend REST service.
As a next step you create a new user with the given username
UserModel keycloakUser = session.userStorage().addUser(realm, username);
Then you copy all the user data from your backend into Keycloak's UserModel.
After that your backend user has a corresponding representation in Keycloak
with a reference to this federation provider (id) via the "userModel.federationLink" property.
The federation link will also be shown in the user page in the keycloak admin console.
As long as the federation link is in place keycloak will ask the federation provider
for the latest user data. Once you decide to cut the link to the federation provider you can
simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation
link right after you added the user to Keycloak.
Keycloak has no link information after that anymore and it will only use the user data stored
in the Keycloak database for that particular user.
You also have the option to do that for all your users via:
org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel)
or just use on demand per User when he / she want's to login for the first time.
Cheers,
Thomas