Long story short, my goal is to have all user permissions managed in one place and then deployed everywhere. My thoughts are that Active Directory/FreeIPA is perfect for this sort of thing. It also comes in handy because some users will need to login to linux servers. Also I need to link the account with a GSuite account (this is easy enough with the Google Cloud Directory Connector). The catch is that users need to login through an Oauth2 SSO service. When a user logs in for the first time it should provision an account in FreeIPA, then each app service can use LDAP for user management to get groups, etc. Since OAuth is out of the scope of IPA I looked to options for this. I have tried to implement Keycloak to do this and using the SSO service as an identify provider. The problem is that, to my knowledge, Keycloak does not support regular OAuth2 and only the OpenID standard, causing issues.
I can always create a simple app to do this but I wanted to know if there is a standard way to do this before I develop a custom solution. I would have through others have faced a similar issue.
P.S. As an added bonus it would be great if I can implement 2fa on some accounts after the SSO signin.