We are using OIDC with an external identity provider. And we are using token exchange to get an access token for that identity provider. We currently have a problem when a user logs in twice and therefore has two sessions (in keycloak). The token exchange generally works. But when the user logs out in one session, the external idp access token of the second session becomes invalid. It seems that the external access token is stored at the federated identity of the user and thus is shared between the sessions. Is this right? Or am I missing anything? Is there a solution to this problem?
It happens for newly created users only? Is not it? When you exchange the token for the first time, not all attributes were transferred to Keycloak nor the Identity provider mapping attributes. When you refresh the token exchange, everything becomes OK and all attributes are there, of course, there are two user sessions. When you exchange a token with the existing users, everything works fine.
I thought, it is Keycloak bug, related to the scope implementation.
Can somebody confirm that?
Any workaround? (possible solution, force exchange token twice, custom API endpoint wrapper that handle this issue)