[keycloak-user] Admin API permission enpoints for token exchange

[James Mitchell]

Can I get a pointer to any admin api endpoints to enable permissions for an
identity provider to perform token exchange, and an endpoint to create the
client policy for the permission?

Firstly, I know this would all do away if I create identity providers and
redirect to Keycloak to handle the whole oauth process... but then I think
that would break all the existing redirect urls I have provided to the
external oauth services, so I'm reluctant to do that. I'd prefer a behind
the scenes migration.

So, my use case is that I have existing site with server code that
authenticates users with external services then grants access to the site.
I have migrated all the internal users to a Keycloak auth, and now I'm
looking at how to exchange the tokens from the external service for valid
Keycloak tokens.

Following the steps from the documents, I can automate the following steps
* create an identity provider fro the external service, and fill in all the
endpoint and client ids
* lookup the existing user (they are guaranteed to exist) and link them to
the new IDP
* < this is the missing step for automations >
* perform the token exchange, which now works OK with my Google test user

My problem is that I need to enable the permissions, and create the policy
to allow the IDP to do token exchange; and I have not found which API
endpoints will do that.

Can someone point me at the right documents, or a keyword to search form in
the Admin REST API document?

Thanks,
James


----

*James Mitchell*

Developer

e: jamesm at suitebox.com

w: www.suitebox.com


*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ