Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

KeyCloak Refresh External IDP Token

Tags:

refresh

openid-connect

token

keycloak

idp

We are using KeyCloak Identity Brokering to federate authentication to an external IDP. The Identity Provider is of type OpenID Connect v1.0. Additionally, we are using OIDC Authorization Code Flow with PKCE.

We are successully able to retrieve the tokens from the external IDP based on the following documentation: https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens

However, when the KeyCloak token is refreshed using "refresh_token" grant by the user-agent, the tokens from the external IDP are not. There is very little documentation available from KeyCloak on this topic.

Does anyone know how to refresh the tokens from the external IDP ?

Update: I have opened an issue with KeyCloak community https://github.com/keycloak/keycloak-community/issues/277

like image 244
Ayondeep Datta Avatar asked Apr 27 '26 02:04

Ayondeep Datta

1 Answers

Keycloak retains both the access token and refresh token from the upstream IdP. When you perform a token exchange it will refresh the tokens if the access token has expired but the refresh token has not, seen here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L186-L187

The long-and-short of it is you need to call the token exchange endpoint more often than the external refresh token expires. Depending on your implementation you can take advantage of this in a number of ways. For example, I've set my access token ttl shorter than the external IdP's refresh token ttl and I've got a confidential client that calls the token exchange endpoint every time it sees a new access token, it isn't the best possible solution but it's better than a sharp stick in the eye.

I don't know why the Keycloak developers don't just refresh any external token when you perform a token refresh of your Keycloak-minted token. They're smart people, so I'm sure there's a reason, but thus far I haven't been able to figure it out. I've been considering extending the existing OIDCIdentityProvider to do just that but I'd rather not open that can of worms until I understand what I'm getting into. If anyone has any insight I'd appreciate it.

like image 174
Hawk Avatar answered Apr 29 '26 18:04

Hawk

Sign in to Comment

Related questions

Is it possible to revoke a token with Nancy.Authentication.Token?
Safari set-cookies not working for first party cookie

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!