=== Retrieving External IDP Tokens

{{book.project.name}} allows you to store tokens and responses from the authentication process with the external IDP.
For that, you can use the `Store Token` configuration option on the IDP's settings page.

Application code can retrieve these tokens and responses to pull in extra user information, or to securely invoke requests on the external IDP.
For example, an application might want to use the Google token to invoke on other Google services and REST APIs.
To retrieve a token for a particular identity provider you need to send a request as follows:

[source,java]
----
GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
Authorization: Bearer {keycloak_access_token}
----

An application must have authenticated with {{book.project.name}} and have received an access token.  This access token
will need to have the `broker` client-level role `read-token` set.  This means that the user must have a role mapping for this role
and the client application must have that role within its scope.
In this case, given that you are accessing an protected service in Keycloak, you need to send the access token issued by Keycloak during the user authentication.

In the broker configuration page you can automatically assign this role to newly imported users by turning on the `Stored Tokens Readable` switch.