How to set Keycloak as Identity provider to access underlying third party applications data APIs

I am been lurking around Keycloak for some time but couldn’t find a solution for my scenario mentioned below.

I have several other third-party services(applications) I want to get services from via apis calls which needs access tokens. I want 1 single entry point for all of them which is login via keycloak credentials and then have access token or tokens in the end somehow to access all APIs of those third-party applications.

End Goal: User logs into Next App. clicks on the login button and logs into Keycloak (with keycloak credentials). In the background, the user is also logged into a third-party application (OpenID available). (User will have 0 direct interaction with third-party application) End result of the process should be an access token which can later be used to make authorized API calls to third-party applications.

*in the future there can be multiple underlying third-party applications that my main app needs access to but I want the user to only enter keycloak credentials and nothing else. and of course, have access token or tokens idk which one would work in this case to access APIs of these third-party applications (service provider).

I want to know what steps I have to follow if there is any documentation for the type of case I have. It should be simple SSO I guess but I couldn’t find much

My main app is in Next.js where I have already set up the environment to get access tokens from keycloak via next-auth.

Could this be what you are looking for?

I’m not 100% sure this is what you’re asking for, but keycloak has the ability to store tokens when users link with 3rd party sites using OIDC. The basic setup is to configure each 3rd party site as an OIDC IdP, select “account linking only”, “store tokens” and “store tokens readable”. Then, once the user is authenticated, you can request those tokens from keycloak when you want to use them in your application, using the procedure described here:

but the problem is let us say I have 3rd party application services (as an example lets say Github, Google, and Facebook)
and instead of logging in with them I simply logged in with Keycloak credentials, in that case will I still have those tokens stored for all 3 types of 3rd party application services (let us say Github, Google, and Facebook) since I would like to make API calls to all 3 of them?