Retrieve external IDP tokens in Keycloak

External Identity Providers : how it works

https://www.keycloak.org/docs/latest/server_admin/#_identity_broker

Keycloak can integrate many external identity providers, right out of the box SAML or open id connect providers but you can also integrate other protocols like CAS by extending Keycloak with your own implementations.

For your external identity provider, Keycloak is just a standard client like any other application. Keycloak uses the “authorization code grant” protocol to retrieve a token from your external provider.

Then, from the token, Keycloak applies the “first login broker” flow.

After the flow, Keycloak sends back to your application a new token with all attributes depending on your scopes and mappers.

Often, we add a mapper in the identity provider configuration to set a field for the user to save the source in an attribute.

“Store token” option

What are those options ?

Keycloak can keep the token issued by the identity provider if your application needs it for special usages, I.E call an API protected by this identity provider.

Retrieve the original token

Needed roles

First of all, your user must have the role “read-token” from the client “broker” :

{
    "exp": 1666220308,
    "iat": 1666220008,
    "auth_time": 1666219956,
    "jti": "ddd1a13b-d2e6-4a75-be5b-a2c47308b172",
    "iss": "https://app.please-open.it/auth/realms/6489d360-bc5d-4ac5-8085-c80a8d5de4e8",
    "aud": [
        "broker",
        "account"
    ],
    "sub": "c0ae973c-10f5-4608-99c9-ffda55fb722c",
    "typ": "Bearer",
    "azp": "playground",
    "nonce": "77f07dc7-dc3f-4174-84d2-ecee49098ec4",
    "session_state": "a48691f9-00d8-47df-b8fd-4a32c31b19f2",
    "allowed-origins": [
        "https://playground.please-open.it"
    ],
    "resource_access": {
        "broker": {
            "roles": [
                "read-token"
            ]
        }
    },
    "scope": "openid profile email",
    "sid": "a48691f9-00d8-47df-b8fd-4a32c31b19f2",
    "email_verified": true,
    "preferred_username": "mathieu.passenaud@please-open.it",
    "email": "mathieu.passenaud@please-open.it"
}

API call

Just call :

/realms/{realm}/broker/{provider_alias}/token

With your access_token as a Bearer in the Authorization header, you will get all informations about the external authentication :

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ2OVlPWDQ5eTdNU3RwQTI5N3RxZE8wOVB4LWtTQkZGak9VeGRVdEpzQVZBIn0.eyJleHAiOjE2NjYyMjA1MTYsImlhdCI6MTY2NjIyMDIxNiwiYXV0aF90aW1lIjoxNjY2MjIwMjA4LCJqdGkiOiJmYWU3MDJlYS1lZDY0LTQwMWYtYjAwYi1lNjcxMzUyNjY0ZjMiLCJpc3MiOiJodHRwczovL2FwcC5wbGVhc2Utb3Blbi5pdC9hdXRoL3JlYWxtcy9wbGVhc2Utb3Blbi1pdC1jb25zb2xlIiwic3ViIjoiZGJmYTRmMmEtYmY2YS00N2E1LTkwOGYtOWQ0N2FiZjY0NDlmIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiNjQ4OWQzNjAtYmM1ZC00YWM1LTgwODUtYzgwYThkNWRlNGU4Iiwibm9uY2UiOiJ2OEYzVm1hcmxXUjNNbE5MTm56X2RRIiwic2Vzc2lvbl9zdGF0ZSI6ImVmYTQ4YjZlLTk2YTAtNDU5OC1iOTc2LTIyNzE4N2QyNzY2OCIsInNjb3BlIjoib3BlbmlkIiwic2lkIjoiZWZhNDhiNmUtOTZhMC00NTk4LWI5NzYtMjI3MTg3ZDI3NjY4In0.e7qbZ-HUyre_9jLLuCmUq9KAp9azQgTAgiChQaP3k0h8VUML14TJCDpBYylqOHWNvdWRRnVqMksM5NuRGS3i_KC7Dj9OA1uqULalZKptZr63Z5pBg-P5J-SNagSA2J9VtB1Spa43f9GO1U46HLQ0AfNCqXXMbHEsixETiDEpLRETi6vP3WBlxkD_U8Ue22HvJH2Xgrnc_C2kIbmgl0mYRB1ZZ5vGK569h2ZwCedTulYZSBuabR4Iv0dnoa3knI7ej_3iqfrwm3_az1yGcKpgEd1BGU32YJEZjEhrFcFrlLqpfwjrpzng2Kv9tGcDDLk5-Jks8PjrVEwFdYNoVMiQsw",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyOGViZjMzMC03MmI0LTQyNzktYWVlOS01ZGQxMTZhODcxZWMifQ.eyJleHAiOjE2NjYyMjIwMTYsImlhdCI6MTY2NjIyMDIxNiwianRpIjoiMDI2Y2M0NzQtMmU1Ny00OWU4LWFiZDUtN2Y5NDA0YWVmZmFlIiwiaXNzIjoiaHR0cHM6Ly9hcHAucGxlYXNlLW9wZW4uaXQvYXV0aC9yZWFsbXMvcGxlYXNlLW9wZW4taXQtY29uc29sZSIsImF1ZCI6Imh0dHBzOi8vYXBwLnBsZWFzZS1vcGVuLml0L2F1dGgvcmVhbG1zL3BsZWFzZS1vcGVuLWl0LWNvbnNvbGUiLCJzdWIiOiJkYmZhNGYyYS1iZjZhLTQ3YTUtOTA4Zi05ZDQ3YWJmNjQ0OWYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiNjQ4OWQzNjAtYmM1ZC00YWM1LTgwODUtYzgwYThkNWRlNGU4Iiwibm9uY2UiOiJ2OEYzVm1hcmxXUjNNbE5MTm56X2RRIiwic2Vzc2lvbl9zdGF0ZSI6ImVmYTQ4YjZlLTk2YTAtNDU5OC1iOTc2LTIyNzE4N2QyNzY2OCIsInNjb3BlIjoib3BlbmlkIiwic2lkIjoiZWZhNDhiNmUtOTZhMC00NTk4LWI5NzYtMjI3MTg3ZDI3NjY4In0.8brbi5w_b5EhrCLyzU3swIvOCwnAvHOmpwqoVsuTuuE",
    "token_type": "Bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ2OVlPWDQ5eTdNU3RwQTI5N3RxZE8wOVB4LWtTQkZGak9VeGRVdEpzQVZBIn0.eyJleHAiOjE2NjYyMjA1MTYsImlhdCI6MTY2NjIyMDIxNiwiYXV0aF90aW1lIjoxNjY2MjIwMjA4LCJqdGkiOiI1ZTE5MDZkMS1kMDE1LTQ2MzQtOWRhYi03ZjJkMzEyYjBiMTUiLCJpc3MiOiJodHRwczovL2FwcC5wbGVhc2Utb3Blbi5pdC9hdXRoL3JlYWxtcy9wbGVhc2Utb3Blbi1pdC1jb25zb2xlIiwiYXVkIjoiNjQ4OWQzNjAtYmM1ZC00YWM1LTgwODUtYzgwYThkNWRlNGU4Iiwic3ViIjoiZGJmYTRmMmEtYmY2YS00N2E1LTkwOGYtOWQ0N2FiZjY0NDlmIiwidHlwIjoiSUQiLCJhenAiOiI2NDg5ZDM2MC1iYzVkLTRhYzUtODA4NS1jODBhOGQ1ZGU0ZTgiLCJub25jZSI6InY4RjNWbWFybFdSM01sTkxObnpfZFEiLCJzZXNzaW9uX3N0YXRlIjoiZWZhNDhiNmUtOTZhMC00NTk4LWI5NzYtMjI3MTg3ZDI3NjY4IiwiYXRfaGFzaCI6IjlYQllUOElkMjR1clk2S2dJanVKU1EiLCJzaWQiOiJlZmE0OGI2ZS05NmEwLTQ1OTgtYjk3Ni0yMjcxODdkMjc2NjgifQ.rGhcIIBpkrHtVN1Qpkd2vVM1Q5yEuxpaZoHBBUR18kgRiH2ExpLPumwc1sSLDr_Xq9oSGbN9rgVN-vBkv6cCyrURFe0VtZblEkv_DQBeZ97gVatY4ByE2NeEEGLKZ4ZdWvraPNFxKk7Uw313dPm_wdkJ7SgzeZaSlXsLWMW7xZ9nJdrZRPuKpmNWSZZ57HblVsJPNJ2Wx3VwAZzmXBySHeAF_VAW3mqHn2gRQPSRpdWXCNRvGNSYF_V8e5xpmLO_6ez_iSnUWJCAGsDRBESilXk8a1cO1I5TITbkbIwou_kT1oAL2b6VqGklVjVkY-rCr5ks9YyRWf2nnvV8GWh7mQ",
    "not-before-policy": 1576406955,
    "session_state": "efa48b6e-96a0-4598-b976-227187d27668",
    "scope": "openid",
    "accessTokenExpiration": 1666220516
}

Official documentation

https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens