How does keycloak login works with external oauth2 authorization server

Hello,

I’m trying to understand the keycloak implementation in our company but I have no idea how it works, because there is no documentation.
Further I don’t find good keycloak resources/documentation to understand its behavior.

Currently we use an external oauth2/openid auth server for login. It’s configured at “identity provider”.
If I login into our application I enter the keycloak login page for the login. And in the network tab I see multiple oauth2 processes.

My question are:

1. Are there 2 oauth2 login proccesses active? One between client (vue application) and keycloak and one between keycloak and the identity provider?
   When I configure keycloak I set “clients” and “scopes”. That looks like keycloak is a oauth2 auth server itself.
2. If the idententy provider disables the option “store token” the identity provider will never be used again for a user after he logged in?

Maybe you could provide me some documentation which I can read to understand the behavior of keycloak while the login proccess.

T

If you need more description of my problem then just ask. I’m here

1. Yes. Your keycloak is being a client towards the identity provider, which is an authorization server. At the same time, your applications are clients towards keycloak, which in that case acts as an authorization server. The IdP issues tokens to keycloak, keycloak issues its own tokens to your apps. Check out Server Administration Guide

2. Store token is only used in case your apps want to retrieve the original token from the IdP. I’ve only used this for debugging purposes, all relevant information should be mapped to your Keycloak user imo.