Authorization server with 3rd party authentication

Hello everyone,

I am currently facing a challenge with my authentication server integration in my application. While the authentication server handles the authentication part, it lacks the capability to manage authorization. Since the Single Sign-On (SSO) solution is beyond my control, I only have a client to interact with. This client issues OIDC tokens and provides JWS information for token validation. Unfortunately, I am required to use the SSO access tokens, and they cannot be replaced.

Now, I have a requirement for a centralized access management system that can handle user roles and other access-related functionalities. My question is whether it is possible to configure a separate Keycloak instance to accept the SSO access token, validate it based on its public information, and provide user roles or handle the authorization part.

After examining the Keycloak source code, it appears that the userinfo and token introspection endpoints are unable to fulfill my requirements as they seem to work only with tokens issued by the same Keycloak instance. I would like to know if there is a way to configure Keycloak to achieve the functionality I need.