Associate service account with external identity provider

Hi everyone,

i am recently trying out Keycloak. I want to integrate an external identity provider that has implemented OAuth2, make a brokered client_credentials grant request and receive the token from my IdP.

So i added the IdP and enabled its service account. I just followed the documentation about external IdPs and was able to retrieve an keycloak token (doc: and want to exchange it as it is described in the doc. At this point I am stuck.

By sending the Keycloak Token of my client to /auth/realms/REALM/broker/PROVIDER_ALIAS/token, I am receiving the message “User [db9f8708-3ed9-4649-a909-fde4c9e3a5b6] is not associated with identity provider [oauth]” (oauth is my provider alias). This should be some configuration issue in Keycloak, as the token endpoint of my external authorization server is not even called. I have searched the log events of my Keycloak server and have worked out that the user from the error message id belongs to my registered client. For any other user, one can link its user account with an IdP user account.

Is this linking possible for the client, too? Has anyone experienced the same error message or use case before?

Did you trying to link User from Keycloak with IdP? Or trying to link User from your app via keycloak to IdP?

In my case i always create user in keycloak, and keycloak managing users in my app. So when some1 logging in through any IdP, like google or gitlab or etc, he must create account in keycloak too. Dunno how to implicitly create account in keycloak, as the data i received from idp already contain required fields…

i am trying to get an access token for my application by using the client_credentials grant by using keycloak as broker. But somehow my service-account is not registered for my identity provider. So i can’t exchange the keycloak token for an access token.

I haven’t tried it yet for normal users.


I’m trying to do the same thing here and facing with the same issue.

Any solution?