Keycloak - ADFS integration, how to get OIDC token?

I’m working on keycloak with Microsoft ADFS (2012 server) integration.
My understanding is below.
In this case, Keycloak is Service Provider to user (exposed to us as OIDC)
Keycloak communicates to ADFS with SAML and routes back to the requested resource post ADFS login.
My Identity Provider - ADFS
https://ip:port/keycloak-auth/realms/samladfs/account
This is working fine. As first it redirects to ADFS page, post validation in ADFS, it redirects back to the /account resource and some info of user is also stored in Keycloak.

My problem:
I don’t know how to get access token in this scenario, which admin CLI I need to call. Please help me.

I tried the below scenario

Request:
HTTP Method: POST
URI: https://ip:port/keycloak-auth/realms/samladfs/protocol/openid-connect/token
grant_type:urn:ietf:params:oauth:grant-type:token-exchange
subject_token_type:urn:ietf:params:oauth:token-type:access_token
client_secret:XXXXX (Created one client with Access_Type: confidential)
client_id:XXXX

Response:
{
“error”: “unauthorized_client”,
“error_description”: “INVALID_CREDENTIALS: Invalid client credentials”
}

Is this correct approach or is there any alternate way to get the access token.

1 Like

If you try using Postman, I’ve been able to use their built-in Auth functionality for Oauth 2.0 to get an access token. You enter

  • Grant Type: Authorization Code
  • Callback URL: Any accepted redirect url for your client
  • Auth URL: {your instance}/auth/realms/GROUPINFRA/protocol/openid-connect/auth
  • Access Token URL: {your instance}/auth/realms/GROUPINFRA/protocol/openid-connect/token
  • Client ID + Secret: As per your client
  • Scope: openid (at least)

I have had trouble using this to authenticate to Keycloak however, but this has returned an access token similar to what I’ve gotten from password authentication.