[keycloak-user] Tracking/auditing login events for GDPR compliance with Keycloak APIs?

[Max Demian]

Hey everyone,

we have been happily using Keycloak to secure our recently developed
applications.

One of those applications requires users to give an informed consent when
first logging in by marking a checkbox on the Keycloak login page.
To comply with EU general data protection regulation, we need to track and
archive those events.

We are contemplating doing that from within Keycloak as the login event
system and provider APIs seemingly give us everything we need.

But before we commit to that, i would love the opinion of people better
versed in the internal Keycloak APIs, databases and when to use them.

Here is what we need to do:
For every initial login event (i.e. when the users identity is first linked
via our custom User Storage Federation Provider), we would have to store
the following information:
* The time of the event
* The username
* Ideally: custom information from the Keycloak login page, e.g. the url
and/or hash of the consent document the user just read and accepted

Here is what we already have:
* a custom Keycloak login theme
* a custom User Storage Federation provider

We are currently using the federation provider to send the event to an
external service but if we can cover this use case with Keycloak internal
APIs and databases, we would happily do so because we are moving towards
Keycloak as our central IDP.

The reason we are using an external service right now is because there we
have full control.
For instance, a likely future functionality is querying the API if the user
in question has already given his consent for given document.

Thanks for your time!