Might be discussed. I think option B is the correct, modern, and production-ready best practice. Your identity provider (Keycloak) should be the single source of truth (SSoT) for user identity. Option A (Syncing) is an anti-pattern. It violates the single source of truth principle. It creates a fragile, tightly-coupled system where your application database is just a stale, partial copy of Keycloak's data.