keycloak-scim/server_admin/topics/identity-broker/tokens.adoc


=== Retrieving External IDP Tokens

With {project_name}, you can store tokens and responses from the authentication process with the external IDP using the `Store Token` configuration option on the IDP's settings page.

Application code can retrieve these tokens and responses to import extra user information or to request the external IDP securely. For example, an application can use the Google token to use other Google services and REST APIs. To retrieve a token for a particular identity provider, send a request as follows:

[source, subs="attributes"]
----
GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
Authorization: Bearer <KEYCLOAK ACCESS TOKEN>
----

An application must authenticate with {project_name} and receive an access token. This access token must have the `broker` client-level role `read-token` set, so the user must have a role mapping for this role, and the client application must have that role within its scope. In this case, since you are accessing a protected service in {project_name}, send the access token issued by {project_name} during the user authentication. You can assign this role to newly imported users in the broker configuration page by setting the *Stored Tokens Readable* switch to *ON*.

These external tokens can be re-established by logging in again through the provider or using the client-initiated account linking API.
google 2016-05-26 16:09:04 +00:00
broker 2016-05-27 15:23:34 +00:00			`=== Retrieving External IDP Tokens`
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			With {project_name}, you can store tokens and responses from the authentication process with the external IDP using the `Store Token` configuration option on the IDP's settings page.
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			`Application code can retrieve these tokens and responses to import extra user information or to request the external IDP securely. For example, an application can use the Google token to use other Google services and REST APIs. To retrieve a token for a particular identity provider, send a request as follows:`
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			`[source, subs="attributes"]`
google 2016-05-26 16:09:04 +00:00			`----`
			`GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1`
			`Host: localhost:8080`
KEYCLOAK-5404 Add testing 2017-09-05 07:49:24 +00:00			`Authorization: Bearer <KEYCLOAK ACCESS TOKEN>`
google 2016-05-26 16:09:04 +00:00			`----`

KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			An application must authenticate with {project_name} and receive an access token. This access token must have the `broker` client-level role `read-token` set, so the user must have a role mapping for this role, and the client application must have that role within its scope. In this case, since you are accessing a protected service in {project_name}, send the access token issued by {project_name} during the user authentication. You can assign this role to newly imported users in the broker configuration page by setting the Stored Tokens Readable switch to ON.
client initiated account linking 2017-03-09 21:21:37 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			`These external tokens can be re-established by logging in again through the provider or using the client-initiated account linking API.`