Hi all, I'd like your thoughts on the best way to integrate, in an adequately decoupled way, "alternative" login systems with Keycloak. Background: We are building or have built support for alternative authentication mechanisms, including the LTI standard for education technology single-sign-on, QR code-based login for young students, simple "autologin" buttons for demo accounts, and other alternative login methods for very young students. We see three obvious options for implementing these: 1. Authentication SPI (ie build a custom authenticator flow and package it into Keycloak) 2. Token exchange (ie the upstream system performs its authentication, then does token exchange to obtain a token for the target user, placing it into a Keycloak cookie) 3. IDP, ie the upstream system performs its authentication, then acts as an IDP to Keycloak via SAML or Oauth Currently we've done pathway #2, which is relatively decoupled, requiring a single POST from the authenticator to Keycloak. But we don't love that we have to (as we understand it) place the token into a Keycloak cookie, which feels like we're diving into Keycloak internals. #1 (Authentication SPI) seems reasonable, but couples very tightly to Keycloak, and requires that it be built in Java, which not all of our teams prefer, and couples development and deployment with Keycloak. I'd love to hear about experiences from people who have built Authentication SPIs, though. #3, building a wholly separate authenticator which uses SAML or Oauth to establish Keycloak sessions, is very decoupled, but requires incorporating Oauth or SAML libraries and keeping them all up to date, which is sort of why we've invested in Keycloak to begin with :) Any thoughts? -Aaron