Help Needed with Custom IDP SPI for OIDC Userinfo Parameter Forwarding

Hello everyone,

I’m working on a project where I need to configure an Identity Provider (IDP) in Keycloak to communicate with an external OIDC provider.

This external provider requires a custom parameter to be included in the /userinfo call. While the client sends all the necessary parameters to Keycloak, these parameters are not forwarded through the flow, causing the final call to external_provider_url/userinfo to fail due to the missing parameter.

I couldn’t find a way to enable parameter forwarding via the Keycloak Admin Console, so I decided to create a custom SPI for the IDP. My approach involves:

  1. Extending the OIDCIdentityProvider class.
  2. Retrieving the required parameters and storing them in the session.
  3. Reusing these parameters when making the /userinfo call.

The SPI compiles successfully, and I can see it listed on the Identity Provider page in the Admin Console. However, I don’t see the “OpenID Connect settings” section (e.g., Discovery endpoints, etc.) for my custom provider.

I’m struggling to understand how this works and what I might be missing.

If anyone has experience with this or insights into how to resolve the issue, your help would be greatly appreciated!

Thanks in advance!

The UI for my Custom SPI IDP without openId settings section:

Hello,
The specific UI for the OIDC identity provider creation is handled by the admin UI theme. As far as I know, you can create your idp with your custom SPI extending the OIDCIdentityProvider class, and then when you go on the detail page, you should have the same detail page as for the original OIDC idp.

If you realy need to have the exact same ui for creation, you can:

  • create your own admin ui theme and add a route for your custom idp creation (i don’t think it is the best option)
  • if your keycloak instance doesn’t need the original OIDC idp SPI, your can override it with your custom SPI (override the getId() method in your provider factory, and make it return oidc. At runtime, your SPI will be used instead of the original OIDC idp SPI). With this id, the admin ui will load the original oidc creation screen.
1 Like

That’s not 100% correct, as it is not guaranteed that the custom extension is being loaded after the default one and thus will overload the built-in provider.
For having guaranteed order, you also will have to implement the order() method in the custom factory implementation and return a value higher than the default (0).

2 Likes

Thanks @dasniko for correcting my answer, I forgot this important detail.

I’m almost sure you explain this mecanism in one of your Keycloak videos, I shouldn’t have miss this :flushed: (I’m a big fan, thanks for the knowledges you share)