This is possible. If you select "Store tokens" flag for Google identity
provider in keycloak admin console, the Google access token will be
stored in Keycloak database (in your step 5).
Then you can send request from your application to special Keycloak REST
endpoint, which will return you Google access token and you can use it
in your application. You need to secure this REST request with the
Keycloak access token returned to your app. We even have the example for
that, but it's not part of the example distribution. See:
There is also some docs for that:
On 25/01/16 20:40, Reed Lewis wrote:
First: Thanks for a great well designed solution. Keycloak looks
is going to do exactly what we need.
I do have a question though. If we use Google as an identity
provider, is there a way to “piggyback” on that authentication to be
able to retrieve a token for accessing google drive contents for
example without having the user to have to log in again?
Here is my workflow:
1. User goes to our webserver.
2. User is presented a login page from Keycloak
3. User clicks Google
4. User logs into Google
5. User is redirected back to Keycloak’s webpage
6. User is redirected back to our webserver.
Now what we also want to do is use the workflow documented here:
get a token for google drive access.
Is this possible? Or am I doing something wrong? Or am I going
about this the wrong way? We need to authenticate the user in our
Keycloak, but we also want to let the user’s application directly
access the user’s Google Drive data.
keycloak-user mailing list