Confirm Please - Retrieving External IDP Tokens

[styk-tv]

I'm having issues retrieving stored tokens based on doc fragment below. I'm getting a message

{
  "errorMessage": "Client [myclient] not authorized to retrieve tokens from identity provider [discord]."
}

Just as a checklist:

Trying brand new user: check myclient / scope /client role /broker /assigned roles / read-token: check Identity Providers / discord / store tokens / on Identiy Providers / discord / stored tokens readable / on

New user after login gets a keycloak token, with this token i access below endpoint Inspeciting user / role mappings / client roles / broker / assigned roles / read-token: check /auth/realms/master/broker/discord/token and 403 (above errorMessage)

At this point, i'm thinking maybe because custom provider, have anyone tried to do this. Was your result a success? Any hints? Can we just double check this please?

Below excerpt from the doc:

Retrieving External IDP Tokens
Red Hat Single Sign-On allows you to store tokens and responses from the authentication process with the external IDP. For that, you can use the Store Token configuration option on the IDP’s settings page.

Application code can retrieve these tokens and responses to pull in extra user information, or to securely invoke requests on the external IDP. For example, an application might want to use the Google token to invoke on other Google services and REST APIs. To retrieve a token for a particular identity provider you need to send a request as follows:

GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
Authorization: Bearer {keycloak_access_token}

An application must have authenticated with Red Hat Single Sign-On and have received an access token. This access token will need to have the broker client-level role read-token set. This means that the user must have a role mapping for this role and the client application must have that role within its scope. In this case, given that you are accessing a protected service in Red Hat Single Sign-On, you need to send the access token issued by Red Hat Single Sign-On during the user authentication.

In the broker configuration page you can automatically assign this role to newly imported users by turning on the Stored Tokens Readable switch.```

[sahya]

Hello, styk-tv Thank you for your contribution.

Would you please tell us your system info?

Ex. OS name, OS version, Keycloak version, and any more...

[styk-tv]

@sahya its a dockerized helm deployment based on codecentric/keycloak currently running 7.2.0 confirmation of discord provider installation here: https://github.com/wadahiro/keycloak-discord/issues/3#issuecomment-602070504 currently running v0.2.0 but also tried v0.3.0 on a test system without a difference.

i'm simply curious if anyone tried to request a stored discord token, would be good to document the steps here just to see if I missed a step perhaps or is there an actual issue.

[styk-tv]

Hi Hiroyuki (@wadahiro)

Is there any chance you could find a spare few minutes to confirm above steps? To see if brokered token retrieval is possible for discord? Also, I don't care for specific version confirmation, if you figure it out just tell me what version you used and I will deploy that one to confirm. I think I might have missed a step maybe from the list, I'm assuming "store tokens" and "tokens readable" are inherited and processed by your code hence asking for someone to double check.

Many thanks.

[styk-tv]

I found similar problem stated here (not specific to Discord provider) https://keycloak.discourse.group/t/unable-to-retrieve-upstream-identity-providers-original-token/2267 can anyone please verify?

[wadahiro]

@styk-tv Sorry my late response.

The error is produced here:

https://github.com/keycloak/keycloak/blob/7e8018c7ca3572a5e7b0de1864a65b6745bd5bd4/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java#L465-L468

It means the authenticated user (access token) doesn't have 'read-token' permission. I think you need to setup a role to grant the permission.

Actually, it's unclear if this use case will work because I've never tried it.

[styk-tv]

@wadahiro @sahya many thanks guys. It was really as simple as adding scope "roles" into Assign Default Client Scopes in my OIDC client.

EDIT: therefore I can confirm that Discord Provider as is, integrates with Keycloak in a correct way so retrieval of original token is possible as per https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens Only thing missing was instruction re above.