Azure AD as an IDP and using token for Azure DevOps REST API access


We have configured Keycloak(version 21) to use Azure AD as an IDP, and it just works fine.

The next step was to use the Azure AD access token to access the Azure DevOps REST API. So far, we have done the following:

  1. Configured the Azure AD app to have permission for DevOps.user_impersonation.
  2. Configured the Keycloak identity provider ‘microsoft’ by adding the ‘499b84ac-1321-427f-aa17-267ca6975798/user_impersonation’ scope to the Scopes property.
  3. When users log in with Microsoft, they are asked to give their consent as expected.

To test the Azure DevOps REST API, we followed these steps:

  1. First, we obtained the Azure AD access token by calling the Keycloak API ‘/realms/???/broker/microsoft/token’, which returns the Azure AD token.
  2. Then, we made a call to the DevOps REST API, for example, ‘{organization}/_apis/projects/’, which resulted in a 401 error.

Upon investigating the Azure AD token, we found that the scp claim does not contain ‘499b84ac-1321-427f-aa17-267ca6975798/user_impersonation’ as expected.

What could be missing here? Can I make Keycloak request that ‘499b84ac-1321-427f-aa17-267ca6975798/user_impersonation’ is included in the Azure AD scp, or is the problem elsewhere?