Support for oAuth2.0 identity provider

Does KeyCloak offer any support to broker with oAuth2 identity providers? I’m not using a social provider. I would like to KeyCloak to use my application which supports oAuth2.0 implementation as an identity provider.

I came across this thread from last year - Brokering non-OIDC oAuth 2.0 identities and it seems like this isn’t possible, but I wanted to check if things have changed since then.


It’s largely dependent on the provider. As I said in my response to the other question, if you can post the documentation for the one you are trying to integrate, we can likely help you with the configuration and help you determine if it’s possible.

Thanks for getting back @xgp. Unfortunately they barely have any documentation for the oauth implementation. It is an on-premise hosted CMS called Mura CMS - Enterprise Content Management Solutions | Mura Software - Mura Software. I have the authorization, token and userinfo urls if that is any help at all. Do you need sample outputs of what these would return? I also have a support contract with them if we need to find more information.

Have you tried setting it up as an OIDC IdP? Plug in the authorization, token and userinfo URLs, get the clientId and clientSecret, and then try to log in.

I did give that a try. But keycloak returns the error - “No token from server”. I’m assuming it is expecting an id_token instead of the access_token that is being sent.

Still might be something you can work around with configuration. Couple of thoughts.

  1. Turn on Keycloak DEBUG logging, to see if you can get a better sense of what’s happening internally
  2. If you can, since you are running Mura locally, run it over HTTP and use something like Wireshark to look at the requests.
  3. Knowing what Mura says they expect to return, and what (if any) control you have over that may be instructive.

As before, if you can post any of that here, we might be able to be helpful, but I won’t be able to make use of guesses.

Thank you @xgp! I appreciate your responses and helping me with this. I’ll give your steps a try and get back to you with more specifics. Also I have access to the Mura code so I can modify the output it returns if needed.

From the info you mentioned here, this all sounds very strange.
Keycloak can‘t work with a pure OAuth2 provider, as OAuth2 doesn‘t provide identities. This only OIDC will provide (that‘s the reason OIDC was invented).
But OAuth2 doesn‘t have a „userinfo“ endpoint, so this is strange that your provider offers such an endpoint, which might lead to the expectation of OIDC. But as Keycloak complains that there is no token, that may be because of an missing ID token (btw: it‘s not id token instead of access token, both are being sent!), which is not OIDC compliant.
Did you try to provide explicitly the scope openid? That‘s the switch which might turn an OAuth2 Authorization server into an OIDC Identity provider (and thus return ID tokens).
More information from the supplier, what this interface is based on would really be helpful. Also, an OIDC provider must provide the .well-known/openid-configuration endpoint for auto-configuration of clients.

1 Like