Retrieve external IDP tokens in Keycloak
https://www.keycloak.org/docs/latest/server_admin/#_identity_broker
Keycloak can integrate many external identity providers, right out of the box SAML or open id connect providers but you can also integrate other protocols like CAS by extending Keycloak with your own implementations.
For your external identity provider, Keycloak is just a standard client like any other application. Keycloak uses the “authorization code grant” protocol to retrieve a token from your external provider.
Then, from the token, Keycloak applies the “first login broker” flow.
After the flow, Keycloak sends back to your application a new token with all attributes depending on your scopes and mappers.
Often, we add a mapper in the identity provider configuration to set a field for the user to save the source in an attribute.
What are those options ?
Keycloak can keep the token issued by the identity provider if your application needs it for special usages, I.E call an API protected by this identity provider.
First of all, your user must have the role “read-token” from the client “broker” :
{
"exp": 1666220308,
"iat": 1666220008,
"auth_time": 1666219956,
"jti": "ddd1a13b-d2e6-4a75-be5b-a2c47308b172",
"iss": "https://app.please-open.it/auth/realms/6489d360-bc5d-4ac5-8085-c80a8d5de4e8",
"aud": [
"broker",
"account"
],
"sub": "c0ae973c-10f5-4608-99c9-ffda55fb722c",
"typ": "Bearer",
"azp": "playground",
"nonce": "77f07dc7-dc3f-4174-84d2-ecee49098ec4",
"session_state": "a48691f9-00d8-47df-b8fd-4a32c31b19f2",
"allowed-origins": [
"https://playground.please-open.it"
],
"resource_access": {
"broker": {
"roles": [
"read-token"
]
}
},
"scope": "openid profile email",
"sid": "a48691f9-00d8-47df-b8fd-4a32c31b19f2",
"email_verified": true,
"preferred_username": "mathieu.passenaud@please-open.it",
"email": "mathieu.passenaud@please-open.it"
}
Just call :
/realms/{realm}/broker/{provider_alias}/token
With your access_token as a Bearer in the Authorization header, you will get all informations about the external authentication :
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ2OVlPWDQ5eTdNU3RwQTI5N3RxZE8wOVB4LWtTQkZGak9VeGRVdEpzQVZBIn0.eyJleHAiOjE2NjYyMjA1MTYsImlhdCI6MTY2NjIyMDIxNiwiYXV0aF90aW1lIjoxNjY2MjIwMjA4LCJqdGkiOiJmYWU3MDJlYS1lZDY0LTQwMWYtYjAwYi1lNjcxMzUyNjY0ZjMiLCJpc3MiOiJodHRwczovL2FwcC5wbGVhc2Utb3Blbi5pdC9hdXRoL3JlYWxtcy9wbGVhc2Utb3Blbi1pdC1jb25zb2xlIiwic3ViIjoiZGJmYTRmMmEtYmY2YS00N2E1LTkwOGYtOWQ0N2FiZjY0NDlmIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiNjQ4OWQzNjAtYmM1ZC00YWM1LTgwODUtYzgwYThkNWRlNGU4Iiwibm9uY2UiOiJ2OEYzVm1hcmxXUjNNbE5MTm56X2RRIiwic2Vzc2lvbl9zdGF0ZSI6ImVmYTQ4YjZlLTk2YTAtNDU5OC1iOTc2LTIyNzE4N2QyNzY2OCIsInNjb3BlIjoib3BlbmlkIiwic2lkIjoiZWZhNDhiNmUtOTZhMC00NTk4LWI5NzYtMjI3MTg3ZDI3NjY4In0.e7qbZ-HUyre_9jLLuCmUq9KAp9azQgTAgiChQaP3k0h8VUML14TJCDpBYylqOHWNvdWRRnVqMksM5NuRGS3i_KC7Dj9OA1uqULalZKptZr63Z5pBg-P5J-SNagSA2J9VtB1Spa43f9GO1U46HLQ0AfNCqXXMbHEsixETiDEpLRETi6vP3WBlxkD_U8Ue22HvJH2Xgrnc_C2kIbmgl0mYRB1ZZ5vGK569h2ZwCedTulYZSBuabR4Iv0dnoa3knI7ej_3iqfrwm3_az1yGcKpgEd1BGU32YJEZjEhrFcFrlLqpfwjrpzng2Kv9tGcDDLk5-Jks8PjrVEwFdYNoVMiQsw",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyOGViZjMzMC03MmI0LTQyNzktYWVlOS01ZGQxMTZhODcxZWMifQ.eyJleHAiOjE2NjYyMjIwMTYsImlhdCI6MTY2NjIyMDIxNiwianRpIjoiMDI2Y2M0NzQtMmU1Ny00OWU4LWFiZDUtN2Y5NDA0YWVmZmFlIiwiaXNzIjoiaHR0cHM6Ly9hcHAucGxlYXNlLW9wZW4uaXQvYXV0aC9yZWFsbXMvcGxlYXNlLW9wZW4taXQtY29uc29sZSIsImF1ZCI6Imh0dHBzOi8vYXBwLnBsZWFzZS1vcGVuLml0L2F1dGgvcmVhbG1zL3BsZWFzZS1vcGVuLWl0LWNvbnNvbGUiLCJzdWIiOiJkYmZhNGYyYS1iZjZhLTQ3YTUtOTA4Zi05ZDQ3YWJmNjQ0OWYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiNjQ4OWQzNjAtYmM1ZC00YWM1LTgwODUtYzgwYThkNWRlNGU4Iiwibm9uY2UiOiJ2OEYzVm1hcmxXUjNNbE5MTm56X2RRIiwic2Vzc2lvbl9zdGF0ZSI6ImVmYTQ4YjZlLTk2YTAtNDU5OC1iOTc2LTIyNzE4N2QyNzY2OCIsInNjb3BlIjoib3BlbmlkIiwic2lkIjoiZWZhNDhiNmUtOTZhMC00NTk4LWI5NzYtMjI3MTg3ZDI3NjY4In0.8brbi5w_b5EhrCLyzU3swIvOCwnAvHOmpwqoVsuTuuE",
"token_type": "Bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ2OVlPWDQ5eTdNU3RwQTI5N3RxZE8wOVB4LWtTQkZGak9VeGRVdEpzQVZBIn0.eyJleHAiOjE2NjYyMjA1MTYsImlhdCI6MTY2NjIyMDIxNiwiYXV0aF90aW1lIjoxNjY2MjIwMjA4LCJqdGkiOiI1ZTE5MDZkMS1kMDE1LTQ2MzQtOWRhYi03ZjJkMzEyYjBiMTUiLCJpc3MiOiJodHRwczovL2FwcC5wbGVhc2Utb3Blbi5pdC9hdXRoL3JlYWxtcy9wbGVhc2Utb3Blbi1pdC1jb25zb2xlIiwiYXVkIjoiNjQ4OWQzNjAtYmM1ZC00YWM1LTgwODUtYzgwYThkNWRlNGU4Iiwic3ViIjoiZGJmYTRmMmEtYmY2YS00N2E1LTkwOGYtOWQ0N2FiZjY0NDlmIiwidHlwIjoiSUQiLCJhenAiOiI2NDg5ZDM2MC1iYzVkLTRhYzUtODA4NS1jODBhOGQ1ZGU0ZTgiLCJub25jZSI6InY4RjNWbWFybFdSM01sTkxObnpfZFEiLCJzZXNzaW9uX3N0YXRlIjoiZWZhNDhiNmUtOTZhMC00NTk4LWI5NzYtMjI3MTg3ZDI3NjY4IiwiYXRfaGFzaCI6IjlYQllUOElkMjR1clk2S2dJanVKU1EiLCJzaWQiOiJlZmE0OGI2ZS05NmEwLTQ1OTgtYjk3Ni0yMjcxODdkMjc2NjgifQ.rGhcIIBpkrHtVN1Qpkd2vVM1Q5yEuxpaZoHBBUR18kgRiH2ExpLPumwc1sSLDr_Xq9oSGbN9rgVN-vBkv6cCyrURFe0VtZblEkv_DQBeZ97gVatY4ByE2NeEEGLKZ4ZdWvraPNFxKk7Uw313dPm_wdkJ7SgzeZaSlXsLWMW7xZ9nJdrZRPuKpmNWSZZ57HblVsJPNJ2Wx3VwAZzmXBySHeAF_VAW3mqHn2gRQPSRpdWXCNRvGNSYF_V8e5xpmLO_6ez_iSnUWJCAGsDRBESilXk8a1cO1I5TITbkbIwou_kT1oAL2b6VqGklVjVkY-rCr5ks9YyRWf2nnvV8GWh7mQ",
"not-before-policy": 1576406955,
"session_state": "efa48b6e-96a0-4598-b976-227187d27668",
"scope": "openid",
"accessTokenExpiration": 1666220516
}
https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens