Hello all. I am currently trying to implement token exchange in our setup of Keycloak as the IDM, out main legacy SAML authentication application (where users land after they login via Keycloak), and new OAuth applications users get directed to for different flows.
What we want to do is allow token exchange so that users who log in with Keycloak SAML can navigate to the OAuth app with their auth context and navigate back to the SAML app without having to make people re-login to the separate applications.
We have token exchange working from the SAML token to OAuth but as far as we can tell from the securing apps documentation here the reverse exchange (OAuth to SAML) is not yet supported.
We currently only support OpenID Connect and OAuth exchanges. Support for SAML based clients and identity providers may be added in the future depending on user demand.
Does anyone know if there’s work being done to allow this? And if not what is the workaround? Would it be somehow storing the SAML token and exchanging it manually outselves somehow?
Thank you ahead of time.