2

I am trying to use client credentials grant for a back-end service using Keycloak as an identity broker for Azure AD. I also need to store access token from external IdP in Keycloak to retrieve group information from MS Graph API. I have this use case working for a confidential client using authorization code flow but I can't get it to work with client credentials grant.

I have created a "confidential" client in Keycloak with "Service Accounts Enabled" enabled. I have a also created an application in Azure AD with client credentials grant enabled and created a external Identity Provider in Keycloak.

I get the access token from Keycloak after authenticating using client_id and client_secret but when I try to retrieve external IdP access token from Keycloak endpoint, I get an error message that says, "User [GUID] is not associated with identity provider". I'd appreciate any suggestions or feedback.

jnesis
  • 101
  • 1
  • 4
  • Are you trying to authenticate with the service account's credentials? That service account does neither exist in Azure AD nor does it have an associated account in AD. Can you please elobarate what you a trying to achive? – sventorben Aug 02 '21 at 19:43
  • @sventorben, Yes, I am trying to authenticate with the service account's credentials and I have verified that Azure AD service account (cliend_id and client_secret) exists and working. I want to use Keycloak as the identity broker for Azure AD and I want to use client credential grant on both sides (i.e. service app -> Keycloak -> Azure AD). I also want to store the access token from Azure AD in Keycloak and later retrieve it from Keycloak to make requests to Graph API. – jnesis Aug 03 '21 at 17:35
  • Sorry, but I don't think that is possible. – sventorben Aug 03 '21 at 23:00
  • @sventorben Can you explain why this would be impossible? – barfuin Aug 04 '21 at 08:37
  • The client credentials grant type is used by clients to obtain an access token. This is totally outside of the context of a user. Keycloak will not forward or redirect requests to AD in this case. Hence, there will never be an AD token. If you need client credentials grant issuing a token from AD, you will need to make the request to AD directly. – sventorben Aug 05 '21 at 09:21

1 Answers1

1

Thank you Sventorben Posting your suggestions as answer to help other community members.

Though is grant on client credential from both side Azure AD and Keycloak it is not possible to store the access token from Azure AD in Keycloak and later retrieve it from Keycloak to make requests to Graph API.

The client credentials grant type is used by clients to obtain an access token. This is totally outside of the context of a user. Keycloak will not forward or redirect requests to AD in this case. Hence, there will never be an AD token. If you need client credentials grant issuing a token from AD, you will need to make the request to AD directly.

From the below document it seems Keyclock is broker it should never send the original access token which is receive from Azure AD to access the Graph API. Only you can read the token using enable StoredTokens Readable switch.

enter image description here

Reference: https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/identity-broker/tokens.html

neic
  • 107
  • 4
RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11