Hello All,
I could really use some help.
I’ve configured a keycloak instance. I’ve configured azure ad as external idp and set it as the default redirect in the browser flow. I can successfully login to a browser based app secured by keycloak using azure credentials. I can see the azure ad user is created in keycloak and it is linked to the provider.
I’m trying to do the same for an api. I’ve secured an api using keycloak. I’m able to get tokens by performing a post to {{kcl_url}}/auth/realms/{{kcl_realm}}/protocol/openid-connect/token when the user is local to keycloak. However, when I use azure credentials from the user above, I get a 401 response.
{
“error”: “invalid_grant”,
“error_description”: “Invalid user credentials”
}
Since Keycloak was started with the preview profile enabled, token exchange and fine grained permissions are both enabled. I granted both the azure ad external idp and the client(api being secured) permissions to perform token exchanges.
Is what I’m trying to accomplish achievable? Am I overlooking some setting for this to work?
Any assistance would be greatly appreciated.
Thank you,