So here is a longer explanation and some reference articles:
When keycloak rely on an identity provider to authenticate the user, it can keep the user’s token for end user to retrieve at a later call: This is called stored token.
Some reference here Retrieving External IDP Tokens | keycloak-documentation
Practically, in the identity provider (ie Microsoft config in your case) you have a config screen and you must activate the two options in the red box:
Together these options will allow end user to request the tokens
Then you need to setup your users to be able to make that request in the context of the client app.
The user’s access token should match to a user that has the role
read-token of the client
broker (that is a pre-configured keycloak app). To do this you can either
- assign to each user (or via groups) a client role
- assign a default set of roles for all users of your client app
Once the user is authenticated via keycloak to your external identity provider (Microsoft) you can use its access token to request the external idp tokens using the dedicated endpoint:
curl -H "Authorization: Bearer <user's access-token from keycloak> https://your-keycloak-server/auth/realms/your-realm-name/broker/provider_alias/token
You will have a json structure with the result that keycloak got when it called the token_endpoint of the external idp:
"refresh_token": "optional refresh token ...",
I hope that helps. Let us know the progress you’ve made so other can benefit
I’d like to share also, for those interested that I am working at a commercial solution (https://trusstee.io) that intends to facilitate the application integration with multiple social logins and in particular resolve that specific case of getting the remote access token of an identity provider that implement a particular set of APIs. Indeed, Microsoft has a tenant specific IDP that deliver access tokens giving access to Microsoft Graph API (for instance). I am looking for developers tester if interested.