Identity brokering from cli (postman or curl)

Hi to all, I’m searching a way to authenticate via curl or postman versus keycloak but using an identity brokering provider configured inside keycloak. using the browser all works fine but I can’t find the correct post parameter to pass in the post call. someone has some ideas?


There isn’t a great way to do this. You need to go through a browser flow (rather than a direct password or client_credentials grant type) to use the command line.

I have seen a tool for command line applications built around the Device Authorization Grant type, but that would take some custom work.

Thanks for reply! so is not possible to make a single post to authenticate versus an identity brokering? i hope that there was some body parameter to specify it.


Correct. Keycloak has no way of passing credentials to an external IdP, so it is not possible.


With postman this will work: In the authorization tab of your request, select type OAuth 2.0 and configure according your client defined in keycloak. Then click on “get new access token”, this will launch your local default browser and postman opening a small web server to catch the callback.



By “custom work” do you mean some client tool that uses CLI to do the curl calls, but actually does some work on its end?

I’m looking at this flow Brokering Overview | keycloak-documentation (

I guess that to implement that, one would have to

  1. curl the initial request
  2. in the simplest case there’s a default provider configured so the result would actually be a redirection 302, the client tool would then have to follow the 302, by another curl call.
  3. This is where I guess it breaks down because that leads to an id provider web page, the client tool would have to probably parse it for some token and answer a form by hand, basically the client tool is redeveloping a small part of browser (and it may even be impossible if there’s a captcha)
  4. if successful, the client tool would receive yet another 302 back to keycloak, where it would arrive authenticated.

Is that correct?
Which would mean that implementing all that is nearly impossible, mainly because of the external id provider, the best Keycloak can do is provide some neat redirections, but there’s no controlling what the id provider might return.

And I guess what postman does is manage the redirections and open the id provider’s web page in a browser.