I am having exactly the same issue. Cannot solve it. I’m attempting to do this with Discord (beta) provider. Everything works except brokering. Not sure if this is related to unimplemented features. However judging by what @FireDrunk is saying, this is exactly same thing. Link to original post is here: https://github.com/wadahiro/keycloak-discord/issues/6 (provider itself is working great, i have been using it for few months now)
Problem Restated Below:
I’m having issues retrieving stored tokens based on doc fragment below. I’m getting a message
{
"errorMessage": "Client [myclient] not authorized to retrieve tokens from identity provider [discord]."
}
Just as a checklist:
Trying brand new user: check
myclient / scope /client role /broker /assigned roles / read-token: check
Identity Providers / discord / store tokens / on
Identiy Providers / discord / stored tokens readable / on
New user after login gets a keycloak token, with this token i access below endpoint
Inspeciting user / role mappings / client roles / broker / assigned roles / read-token: check
/auth/realms/master/broker/discord/token and 403 (above errorMessage)
At this point, i’m thinking maybe because custom provider, have anyone tried to do this. Was your result a success? Any hints? Can we just double check this please?
Below excerpt from the doc:
Retrieving External IDP Tokens
Red Hat Single Sign-On allows you to store tokens and responses from the authentication process with the external IDP. For that, you can use the Store Token configuration option on the IDP’s settings page.
Application code can retrieve these tokens and responses to pull in extra user information, or to securely invoke requests on the external IDP. For example, an application might want to use the Google token to invoke on other Google services and REST APIs. To retrieve a token for a particular identity provider you need to send a request as follows:
GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
Authorization: Bearer {keycloak_access_token}
An application must have authenticated with Red Hat Single Sign-On and have received an access token. This access token will need to have the broker client-level role read-token set. This means that the user must have a role mapping for this role and the client application must have that role within its scope. In this case, given that you are accessing a protected service in Red Hat Single Sign-On, you need to send the access token issued by Red Hat Single Sign-On during the user authentication.
In the broker configuration page you can automatically assign this role to newly imported users by turning on the Stored Tokens Readable switch.```
Could anyone please confirm the steps to do this?