[keycloak-user] Direct grant flow using a CAS token as a credential.

[Rodolfo de Paula]

Greetings,
We started doing a proof of concept with Keycloak only 2 weeks ago. We already have a small SPA in Vue.js with authentication using the direct grant flow.
Since we have a legacy users database, we plugged a custom UserFederationProvider implementation.
This custom provider helped us to support these 2 cenarios:
1) Users authenticating against our legacy database.2) Users authenticating against  our CAS server. Since the user storage provider has access to user/password, our implementation will also try to get a Service Token from our CAS server and in case of success, it will set a a value to a custom user attribute "CAS_TOKEN" so the SPA will have access to it and use when it's needed (links to CAS protected resources).
This works for our POC but we have a third scenario: We want to authenticate an user coming to our resources but with a token (CAS) appended to the url. With the CAS token, we would need to 1) validate the ticket, 2) get user identity in order to authenticate it. But we have been studying that providers/authenticator example from Keycloak source but it doesn't seems to be useful since we are using direct grant flow.   
So can someone please give me a hint on this? Is there any other (better/cleaner) way to do this?
Thanks in advance!