When should the "Keycloak OpenID Connect" identity provider be preferred over the "OpenID Connect v1.0" provider?

I see that the KeycloakOIDCIdentityProvider (keycloak-oidc) extends the OIDCIdentityProvider (oidc). On further investigation, I see that it adds a VALIDATED_ACCESS_TOKEN to the context data, but removes some flexibility by only allowing JWT tokens of type SUBJECT_TOKEN. It seems to be intended for specific situations only, but I haven’t been able to determine when one of these IdP options should be preferred over the other. The Server Administration Guide isn’t very helpful here. It merely states, “Use keycloak-oidc as the providerId when you create a new identity provider instance,” and “Configure the generic OpenID Connect provider the same way you configure the Keycloak OpenID Connect provider, except you set the providerId attribute value to oidc.” This doesn’t answer the question of which option is appropriate in any given situation. I’ve scoured the web for more info on the logic behind selecting between these options, but have found almost nothing. Any guidance would be much appreciated. (I think it really shouldn’t require this much effort to find some simple guidance on a question that I would think would be quite common for a new user of Keycloak. :slightly_smiling_face: ) Thanks in advance for your help!

4 Likes

Keycloak OpenID Connect option is supposed to be used in a scenario when you want to use another keycloak instance as the identity provider for your current keycloak which you plan to use for IAM. Its is basically for “Keycloak to Keycloak Authentication” . assume that you already have 2 Keycloaks (here: Keycloak A and Keycloak B ), and you want to use your keycloak B as Identity Provider, which you want to connect to keycloak A. Hope this helps