I see that the KeycloakOIDCIdentityProvider (keycloak-oidc) extends the OIDCIdentityProvider (oidc). On further investigation, I see that it adds a VALIDATED_ACCESS_TOKEN to the context data, but removes some flexibility by only allowing JWT tokens of type SUBJECT_TOKEN. It seems to be intended for specific situations only, but I haven’t been able to determine when one of these IdP options should be preferred over the other. The Server Administration Guide isn’t very helpful here. It merely states, “Use keycloak-oidc as the providerId when you create a new identity provider instance,” and “Configure the generic OpenID Connect provider the same way you configure the Keycloak OpenID Connect provider, except you set the providerId attribute value to oidc.” This doesn’t answer the question of which option is appropriate in any given situation. I’ve scoured the web for more info on the logic behind selecting between these options, but have found almost nothing. Any guidance would be much appreciated. (I think it really shouldn’t require this much effort to find some simple guidance on a question that I would think would be quite common for a new user of Keycloak. 
) Thanks in advance for your help!
4 Likes