I'm using Keycloak as an auth server behind an Nginx reverse proxy. Leveraging the multi-tenancy and multi-roles suites my needs but I'd like to extend the authentication flow with some custom user-properties that would be ideally stored in an alternative schema/database.

These could be exemplified by:

• A global subscription with an expiration date associated with one or more tenants/realms.
• A license with expiration date associated with each user inside the same tenant/realm.
• ...

From what I've understood I could exploit a custom Authenticator SPI that checks these fields based on the user_id and add it to a custom Authentication Flow defined for each separate client inside my pool. Is this the correct use case or is there a better general approach to apply?