We’ve open sourced a new extension that allows you to use external providers with OAuth 2.0 interfaces (usually to provide access and/or authorization to an API) as an Identity Provider in Keycloak.
But OAuth2 doesn’t inherently provide identity information!
Correct. This overrides the identity portions of the OIDCIdentityProvider
class to allow retrieval of identity information by script. This allows the administrator to provide a custom script as a configuration value of the identity provider. The script is executed (js using Nashorn) with a limited scope once the authorization code flow has been executed by the user, and the IdP has returned information sufficient to authorize retrieval of identity information.
See our motivation for more information.
We’ve found that many of our customers have use cases that require using different social providers (not currently built-in to Keycloak) for authentication, and many require the token provided by the 3rd party to authorize other API requests. Using the account linking function of Keycloak Identity Providers was an obvious way to add this functionality to Keycloak.
The extension is currently in alpha, and we are evaluating including it in our extended Keycloak distribution. Take a look at the documentation in the repository to see how we’ve connected Amazon, Discord, Dropbox, Github, Box and Stripe Connect. And please contribute scripts for other providers as you add them!