When user logs in to web .foo.com and then goes to tenant .foo.com , it should automatically be logged in.
tenant .foo.com is also oauth enabled, which means, it needs to have the same access token , returned by github or gitlab, which user has used to login.
Sure I’ll attempt to describe my setup and the steps I took from the documentation.
IDP
“Store Tokens” enabled
“Stored Tokens Readable” enabled (only matters for new users so could skip 4)
broker client
create a client role named read-token
other client (can be any OIDC client that gets an access token)
make sure there is a mapper for “client roles”. By default, this is part of the client scope called “roles”. If you don’t have that client scope assigned to this client, you can create a mapper with this configuration:
Complete a login and get the access token. Send a request to /auth/realms/{realm}/broker/{provider_alias}/token with the authorization header set to Bearer ${token} as described in the docs
Your token should contain client roles for the broker client in the resource_access claim:
I am very grateful for your hint. Your words from point #3 should really make it into Keycloak documentation.
I first tried the mapper and it worked, then I dropped the mapper and simply added “roles” from list to Assigned Default Client Scopes in my OIDC client.