This is possible. If you select "Store tokens" flag for Google identity provider in keycloak admin console, the Google access token will be stored in Keycloak database (in your step 5).

Then you can send request from your application to special Keycloak REST endpoint, which will return you Google access token and you can use it in your application. You need to secure this REST request with the Keycloak access token returned to your app. We even have the example for that, but it's not part of the example distribution. See: https://github.com/keycloak/keycloak/tree/master/examples/broker/google-authentication

There is also some docs for that: http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2177

Marek

On 25/01/16 20:40, Reed Lewis wrote:

First: Thanks for a great well designed solution. Keycloak looks like is going to do exactly what we need.

I do have a question though. If we use Google as an identity provider, is there a way to “piggyback” on that authentication to be able to retrieve a token for accessing google drive contents for example without having the user to have to log in again?

Here is my workflow:

User goes to our webserver.

User is presented a login page from Keycloak

User clicks Google

User logs into Google

User is redirected back to Keycloak’s webpage

User is redirected back to our webserver.

Now what we also want to do is use the workflow documented here: https://developers.google.com/identity/protocols/OAuth2WebServer?hl=en to get a token for google drive access.

Is this possible? Or am I doing something wrong? Or am I going about this the wrong way? We need to authenticate the user in our Keycloak, but we also want to let the user’s application directly access the user’s Google Drive data.

Thank you.

Reed Lewis
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user