I am using Keycloak 26 in a multi-tenant environment, where each client of my SaaS has its own realm.

I need to create a custom Identity Provider (IdP) that allows users to choose between:

1. Internal authentication with Keycloak (users stored in Keycloak's database).
2. Authentication via the client’s REST API, where each client has its own authentication service.

Example of client APIs:

• Company1 client:

  POST /v1/login  
  Header: Authorization: Bearer ...  
  Body: { "username": "user@company1.com", "password": "12346" }
  

• Company2 client:

  POST /authenticate  
  Body: { "usuario": "user@company2.com", "password": "12346", "token": "54321" }
  

Keycloak should communicate with this external REST API to authenticate the user. If authentication is successful, a federated user should be automatically created in Keycloak (if they do not already exist).

My question:

Is it possible to create a custom Identity Provider (IdP SPI) to integrate Keycloak with these external authentication services via REST API? If so, what would be the correct approach to implement this?

If anyone has done something similar or has a working example, any help would be greatly appreciated!

Thanks! 🚀