So this is my best guess of where I would start developing this. This is a bit complicated (and also my best guess), and I am basing my answer a bit on : https://github.com/wpic/sample-keycloak-getting-token and http://keycloak-user.88327.x6.nabble.com/keycloak-user-Brokering-with-OID... There are four components of this system : the User, Keycloak, Facebook, and your Application (aka Broker). The Client requests the login page on your Broker, is redirected to Facebook, and returns to your Broker with Facebook's authentication payload. The Broker can verify this payload. At this point you either have a new user or an existing user. For new users use the KeyCloak Admin API to generate a new initial access token and pre-populate your registration form. The User will receive this form and register for your application. The Broker can exchange the registration form for a proper access token and life can go on like normal. If you have an existing user, you will need to use an External to Internal token exchange. This is documented here : http://www.keycloak.org/docs/latest/securing_apps/index.html#external-tok.... There are limits to the token exchange, but I think that facebook returns a compatible access_token. I would suggest reviewing https://developers.facebook.com/docs/facebook-login/manually-build-a-logi.... I am looking forward to hearing if this works for you or not. As I said in the opening, if I had your use case this is how I would try to implement it. I have not tested this myself. On Mon, Nov 20, 2017 at 9:53 PM, Madhan Kumar S P <madhan.klazzez(a)gmail.com&gt; wrote: