How to set Keycloak as Identity provider to access underlying third party applications data APIs

Umar · November 24, 2023, 7:52am

I am been lurking around Keycloak for some time but couldn’t find a solution for my scenario mentioned below.

I have several other third-party services(applications) I want to get services from via apis calls which needs access tokens. I want 1 single entry point for all of them which is login via keycloak credentials and then have access token or tokens in the end somehow to access all APIs of those third-party applications.

End Goal: User logs into Next App. clicks on the login button and logs into Keycloak (with keycloak credentials). In the background, the user is also logged into a third-party application (OpenID available). (User will have 0 direct interaction with third-party application) End result of the process should be an access token which can later be used to make authorized API calls to third-party applications.

*in the future there can be multiple underlying third-party applications that my main app needs access to but I want the user to only enter keycloak credentials and nothing else. and of course, have access token or tokens idk which one would work in this case to access APIs of these third-party applications (service provider).

I want to know what steps I have to follow if there is any documentation for the type of case I have. It should be simple SSO I guess but I couldn’t find much

My main app is in Next.js where I have already set up the environment to get access tokens from keycloak via next-auth.

melancholia · November 24, 2023, 4:37pm

Could this be what you are looking for?

https://www.keycloak.org/docs/latest/authorization_services/index.html

xgp · November 24, 2023, 6:10pm

I’m not 100% sure this is what you’re asking for, but keycloak has the ability to store tokens when users link with 3rd party sites using OIDC. The basic setup is to configure each 3rd party site as an OIDC IdP, select “account linking only”, “store tokens” and “store tokens readable”. Then, once the user is authenticated, you can request those tokens from keycloak when you want to use them in your application, using the procedure described here:
https://www.keycloak.org/docs/latest/server_admin/index.html#retrieving-external-idp-tokens

Umar · November 27, 2023, 7:00am

but the problem is let us say I have 3rd party application services (as an example lets say Github, Google, and Facebook)
and instead of logging in with them I simply logged in with Keycloak credentials, in that case will I still have those tokens stored for all 3 types of 3rd party application services (let us say Github, Google, and Facebook) since I would like to make API calls to all 3 of them?

Topic		Replies	Views
Serving access tokens to users already logged in with third party identity provider Getting advice authentication , oidc	0	461	April 7, 2022
External token exchange with custom flow Getting advice	5	1745	March 9, 2022
How to access identity provider authentication using RestAPI calls Getting advice authentication	0	46	April 11, 2024
Authorization server with 3rd party authentication Getting advice authentication	0	340	June 19, 2023
OIDC in Identity Provider Token retrieve oidc	0	94	February 14, 2024

How to set Keycloak as Identity provider to access underlying third party applications data APIs

Related Topics