You Don't Need a Sidecar: Custom REST APIs Inside Keycloak with the RealmResourceProvider SPI
Most teams that need an identity operation Keycloak doesn’t ship — “resolve this user’s effective entitlements in one call”, “let a user accept updated terms”, “expose a tenant-scoped lookup” — build a separate microservice. That service then has to validate Keycloak’s tokens, hold a service-account credential to call the Admin REST API, reconstruct realm and group logic over HTTP, and get deployed, scaled, and monitored as its own thing. It’s a lot of moving parts to add one endpoint. ...