External token exchange with custom flow

I have my application behind keycloak my application entrypoint is behind third party OAuth. By the time my entry point gets invoked user is already authenticated and a token is issued by third party. I want to take that token and do a token exchange for keycloak. Basically I want to create keycloak user if not existing and get keycloak access token so that all other APIs are protected by keycloak access token.

I thought right way to achieve this is token exchange but the token I receive from third party is in custom JSON format and also it requires some logic to extract relavant user iniformation.

How can I best achive this external auth trusting token? Appreciate some pointers around this.

1 Like

how about writing a custom identity mapper?
You have to define some identity provider in your keycloak to accept the token, and you can add mappers to the identity provider.

Request is not even reaching to identity provider. The document says the token exchange is to POST to URL /realms//protocol/openid-connect/token

There is no way to specify identity provider here. I am trying to POST the token the above end point and I am getting invalid token. Looks like it’s trying to validate the submitted token as identity token and of course it’s not a valid identity token.

I would like to have custom Identity Provider. But how to submit to my identity provider for exchange token?

I may not understand your case, but this is what I understand.

You have an id token from an IDP (id provider), that you want to exchange in Keycloak for a Keycloak token.

If that is the case, then you need to define the external IDP as an id provider in Keycloak, and then define mapper for that idp in keycloak.
Then you can send the ID token to Keycloak and it will trust it, as coming from a known IDP.

I don’t think you can simply send a token issued from a different IDP to Keycloak without having first configured it in Keycloak. (if you can I am interested!)

I have done it like that between 2 keycloaks and it worked. What may be more difficult in your case is to configure the external IDP. But to the best of my knowledge you need to do it, if only because Keycloak needs to trust the id tokens that it will receive.

To test your idp configuration, you can simply log in to Keycloak user page using the external idp, it should work (actually, when it works you don’t even need an admin user in keycloak any more, you can just use the external idp for all users!).

Thanks for the explanation. My problem is the token I receive from external system is not id token. It’s a custom JSON. I want an ability to get id token access token and other pieces of information from it and map to various user attributes. The issue I am facing is when I send this custom JSON for token exchange the call fials saying invalid id token. I don’t even get call to my custom provider class.

Ah. Sorry for not understanding. :confused:
I guess the only way is to customize Keycloak code. I don’t know anything about that.