Hello Guus,
However you need to publish "normal" Keycloak events as well as AdminEvents which are fired when interacting via the Keycloak Admin REST interfaces, e.g. by using AdminConsole or the Admin-REST client.
When dealing with the AdminEvents be prepared to do a lot of string pattern matching against the associated REST resource-paths.
As an example for detecting whether an AdminEvent denotes a client-role assignment to a user you need to check the resourcePath for the following Pattern:
^users/(" + UUID_PATTERN_STRING + ")/role-mappings/clients/(" + UUID_PATTERN_STRING + ")
first uuid-group marks the userId the second one marks the clientId...
I think the AdminEvents should be enriched with some additional context information to ease the event matching in custom EventHandlers.
Cheers,
Thomas