We are using KeyCloak (v11.0.2) Identity Brokering to federate authentication to an external IDP. The Identity Provider is of type OpenID Connect v1.0. Additionally, we are using OIDC Authorization Code Flow with PKCE.
We are successfully able to retrieve the tokens from the external IDP based on the following documentation: Server Administration Guide
However, when the KeyCloak token is refreshed using “refresh_token” grant by the user-agent, the tokens from the external IDP does not get refreshed which is an issue since the tokens from IDP gets expired even though tokens from KeyCloak broker remains active.
It’s a great question, but there isn’t a existing solution in Keycloak. I came to Keycloak from another application/broker that could be configured to refresh external OIDC tokens, which was very convenient.
I have implemented a similar thing inside Keycloak, but for a commercial customer. Basically what it does is:
adds a boolean parameter to the IdP config → refreshStoredTokens
adds a TimerProvider that runs on a schedule that:
[hack] uses JPA to look up FederatedIdentityModels from the DB that match the identity provider alias (for each idp that has refreshStoredTokens=true)
Check the expiration of the token and perform a refresh if necessary. Update the FederatedIdentityModel with the new token.
The above won’t work for large numbers of federated identities. However, you could probably do some optimizations by using a database table that stores the token expiration so you could do a fast lookup of only the tokens that need refreshing.
I have a back end java spring application and I’m using react for front end. I also use AzureAd as Idp and keycloak for brokering. Thank you for your suggestion but unfortunately, I don’t have access to the azureAD config of my company because it is managed by the IT department so I am trying to resolve the Idp refresh issue at back/frontend or keycloak level but I haven’t succeeded yet. Any other sugggestion would be greatly appreciated.