I configured Azure as external Identity Provider and configured ‘Attribute Importer’ for propagation of external userId into user’s attributes.
When I login via browser, it works as expected (user is created and attribute is set). But when I configure token exchange on that identity provider and perform the flow using this token exchange mechanism, I get success response, the user in Keycloak gets created, but the attribute is missing.
I’m correctly loging in in Keycloak using Office365. I will get a Keycloak token using a Office365 token since I’m adding some modules in Outlook.
I’m working on this but my token exchange is not working, I’m mapping attributes too, maybe I will be able to help.
I’m correctly loging in in Keycloak using Office365. I can not Exchange an Office token to get a Keycloak token.
curl --location --request POST host:port/auth/realms//protocol/openid-connect/token’
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
client_id=<client_id>
requested_token_type=urn:ietf:params:oauth:token-type:access_token
subject_token_type=JWT (since from jwt.io my Office635 token says to be a JWT)
subject_token=ey…
subject_issuer=MicrosoftIDP
client_secret=
I am having the exact issue. External Access Token to exchange for Access Token. This flow is supposed to execute the IdP including invoking user info endpoint, performing mappings as configured, but it does not as you say. This creates a real issue as we need those claims to know if it passes polices to even issue a token. I am looking at SPI custom to override the behaviour and add the ability to do the mappings but so far can’t quite find the right hook.
What version of Keycloak are you running? There’s been a fix in 22 that solved the token exchange mapper issues. I had the same problems with an IdP which was fixed in KC22.0.2 Issue