Keycloak as an Identity Broker

I want to use Keycloak as an Identity broker i.e., my clients will have their own Authorisation server like Okta, OneLogin, PingIdentity, etc.
They will be accessing my application by logging in using their providers. So my APIs in the backend should work with their Authorisation server’s access tokens which I was able to do.
The query that I have is, Once I add all of these providers in Keycloak as “Identity Providers” in Keycloak.
I was thinking I’ll have a button on the login page where the client will enter the email. Based on his provider I will generate the redirect URL in the backend using the kc_hint query param.
Then he will be redirected to his configured provider’s login page. Upon successful authentication, Keycloak will get the Providers Access-token, Refresh-token, ID-token etc

i) Is it possible for Keycloak to directly return the configured Identity provider’s Access-tokens and refresh-tokens?
ii) On successful login, a session will be started for that user in the keycloak as well. But when I check in the sessions tab, I can see that the client is different. I was expecting to see Okta.
Am I missing something here?
Any help/advice is apprecicated.

i) Is it possible for Keycloak to directly return the configured Identity provider’s Access-tokens and refresh-tokens?

Look for “Store Tokens” and “Store Tokens Readable” in the Identity Provider setup. Server Administration Guide This will allow you to query for the stored IdP tokens from the remote IdP once the authentication flow has been completed.

ii) On successful login, a session will be started for that user in the keycloak as well. But when I check in the sessions tab, I can see that the client is different. I was expecting to see Okta.
Am I missing something here?

The user is logging in to a Keycloak Client. “Okta” is the Identity Provider.

I have already looked through the “Store Tokens” radio button in the Identity Provider tab. My question is once I store it. Can Keycloak directly return it rather than making an extra API call or firing a query?
Also, do you have any advice on my architecture?

I have already looked through the “Store Tokens” radio button in the Identity Provider tab. My question is once I store it. Can Keycloak directly return it rather than making an extra API call or firing a query?

No.

Also, do you have any advice on my architecture?

Don’t try to reinvent the wheel. Keycloak does everything you need here. Use the “Store Tokens” and “Store Tokens Readable” options and then retrieve the external IdP token with the API endpoint.