Token validation during Token Exchange using introspection endpoint

[Jaroslav Svacina]

Hello everyone,

 

I would like to ask for your help. First, I will describe my scenario:

 

I have an opaque access token issued from an external identity provider. I want to use this opaque access token to exchange it at Keycloak for ID, Access and Refresh tokens (external to internal token exchange). Keycloak is configured in such a way, that token exchange is enabled, the external identity provider is configured, the required users are linked to the external IDP. In general the token exchange works well for the following scenarios:

• Usage of JWT tokens -> Keycloak validates the token using signature validation
• Access Token (can be opaque or JWT) -> Keycloak validates the token using the User Info Endpoint.

 

My problem is that the external IDP does not provide an User Info Endpoint and I have an opaque access token. So I can use neither signature validation nor the user info endpoint for token validation.

 

I need to teach Keycloak to validate the external token via the introspection endpoint of the configured external provider.

 

How can I achieve this?

Does Keycloak support the token validation using the introspection endpoint of the external provider out-of-the-box?

Currently it is not possible to configure the introspection endpoint in the configuration of the external provider. Does anybody know, how to configure the introspection endpoint of the external provider?

 

If configuration is not possible: Can anybody give me an advice, how to extend Keycloak to validate the opaque access token during (external to internal) token exchange using the introspection endpoint of the external identity provider and not the user info endpoint?

 

Every hint and help is appreciated.

 

Configuration:

Keycloak Version  21.1.1 in development mode

Enabled features: ADMIN_FINE_GRAINED_AUTHZ, TOKEN_EXCHANGE

 

Thanks a lot

   Jaroslav