I have a few questions regarding the OAuth flow in a hypothetical context. Let’s imagine the following situation: we have a JavaScript client (React JS), a Keycloak server, and a REST API (Spring Boot). We use Keycloak to identify the user via a JWT. Once authenticated, we want to offer the user the ability to link their Google Calendar to their account. It is therefore necessary to associate the user ID (present in the Keycloak JWT subject) with the Google access tokens.

I’ve had trouble finding the optimal method to achieve this association, other than using the “state” parameter of the Google API. Below is a sequence diagram representing the flow I’ve envisioned.

Could you confirm if this flow follows best practices? Is it secure and common? Are there other ways to achieve this association?

Thank you in advance for your help and advice.