Is Keycloak right solution for my usecase

My Usecase is.

I have this saas solution. Lets say

web.foo.com

Users of this solution should be able to login using Github, Gitlab and few other Identity providers.

Each user logged in belongs to a particular tenant. and it has its own way to access the product.

for e.g

tenant.foo.com

When user logs in to web .foo.com and then goes to tenant .foo.com , it should automatically be logged in.

tenant .foo.com is also oauth enabled, which means, it needs to have the same access token , returned by github or gitlab, which user has used to login.

Can this be achieved using keycloak.

Thanks a lot in advance.

You can configure Keycloak to store external IDP tokens, and then your tenant applications can retrieve them after a login:
https://www.keycloak.org/docs/latest/server_admin/index.html#retrieving-external-idp-tokens

@trotman23 I’m having issues retrieving external idp tokens. Is there any way we could confirm steps? I have described them here.

Sure I’ll attempt to describe my setup and the steps I took from the documentation.

  1. IDP
  • “Store Tokens” enabled
  • “Stored Tokens Readable” enabled (only matters for new users so could skip 4)
  1. broker client
  • create a client role named read-token
  1. other client (can be any OIDC client that gets an access token)
  • make sure there is a mapper for “client roles”. By default, this is part of the client scope called “roles”. If you don’t have that client scope assigned to this client, you can create a mapper with this configuration:
  1. User (can skip if user was imported after “Stored Tokens Readable” was enabled
  1. Complete a login and get the access token. Send a request to /auth/realms/{realm}/broker/{provider_alias}/token with the authorization header set to Bearer ${token} as described in the docs

Your token should contain client roles for the broker client in the resource_access claim:

"resource_access": {
    "broker": {
      "roles": [
        "read-token"
      ]
    }
}

FWIW, i’m on keycloak 9.0.3, but have performed these steps on previous versions as well with no issues.

1 Like

Dear @trotman23

I am very grateful for your hint. Your words from point #3 should really make it into Keycloak documentation.

I first tried the mapper and it worked, then I dropped the mapper and simply added “roles” from list to Assigned Default Client Scopes in my OIDC client.

Many many thanks.
Peter

how Keycloak can request token with authorization code received from external Identity provider?