I understand OIDC is for authentication, and not authorization (see for instance https://www.pingidentity.com/en/resources/content-library/articles/openid-connect.html: "The main difference between OpenID and OAuth is that OpenID is an authentication protocol while OAuth is an authorization framework."). In other words, use OIDC to associate a request with a particular identity, but not for determining whether that identity has the right to do whatever it is they're asking to do. But in practice, Keycloak lets me define a set of roles for each user, and it sends those roles out in the tokens it creates. I realize this isn't a Java EE forum, but the simple Java EE app I deployed in wildfly and authenticated with Keycloak responds to these roles. So something is doing the authorization step. What's going on?

I'm configuring a Java EE application to use Keycloak for authentication. Users come from any of several large organizations with SAML authenticators, and Keycloak's identity brokering lets them select the correct authenticator and log in. But user roles are managed within the application, not within Keycloak or the SAML authenticators. I want to keep it that way; the people that know what the permissions should be in this one application aren't the same people that manage the authenticators. Somewhere in the login process, either in Keycloak or in my application, I need to fetch the correct set of roles from the application, which I can do with a database query or a REST API lookup, whichever is easier, and replace whatever roles Keycloak thinks the user has, with those.

I haven't found a way to do this in my application. Apparently java.security is known for its lack of security event handling, so there's no obvious place to plug in some code on that front. I haven't been able to do it in the Keycloak java adapter for wildfly elytron: this seems like a good place for the code, but I can't make it work; eventually I gave up after the aggregate security realm I was experimenting with broke everything. Wildfly's new built-in OIDC client has really no place at all to plug in customizations, that I can see, so it won't do. I've thought of making a new authentication flow in Keycloak that copies the default Browser flow, but contains a step at the end to look up user roles from the application. I've put quite a lot of effort into trying this, without getting far enough to verify that it might work. I've wondered if a custom user storage provider would do the trick, but wouldn't mind feedback from someone that knows, before putting in the effort to try. I welcome any hints.