First: Thanks for a great well designed solution.  Keycloak looks like is going to do exactly what we need. 

I do have a question though.  If we use Google as an identity provider, is there a way to “piggyback” on that authentication to be able to retrieve a token for accessing google drive contents for example without having the user to have to log in again?

Here is my workflow:
  1. User goes to our webserver.
  2. User is presented a login page from Keycloak
  3. User clicks Google
  4. User logs into Google
  5. User is redirected back to Keycloak’s webpage
  6. User is redirected back to our webserver.
Now what we also want to do is use the workflow documented here: https://developers.google.com/identity/protocols/OAuth2WebServer?hl=en to get a token for google drive access.    

Is this possible?  Or am I doing something wrong?   Or am I going about this the wrong way?   We need to authenticate the user in our Keycloak, but we also want to let the user’s application directly access the user’s Google Drive data.

Thank you.

Reed Lewis