i am recently trying out Keycloak. I want to integrate an external identity provider that has implemented OAuth2, make a brokered client_credentials grant request and receive the token from my IdP.
So i added the IdP and enabled its service account. I just followed the documentation about external IdPs and was able to retrieve an keycloak token (doc: https://www.keycloak.org/docs/latest/server_development/#retrieving-external-idp-tokens) and want to exchange it as it is described in the doc. At this point I am stuck.
By sending the Keycloak Token of my client to /auth/realms/REALM/broker/PROVIDER_ALIAS/token, I am receiving the message “User [db9f8708-3ed9-4649-a909-fde4c9e3a5b6] is not associated with identity provider [oauth]” (oauth is my provider alias). This should be some configuration issue in Keycloak, as the token endpoint of my external authorization server is not even called. I have searched the log events of my Keycloak server and have worked out that the user from the error message id belongs to my registered client. For any other user, one can link its user account with an IdP user account.
Is this linking possible for the client, too? Has anyone experienced the same error message or use case before?