[keycloak-user] How to ignore access token from external IDP and only look for ID_TOKEN?

Mart Abel mart.abel at finestmedia.ee
Mon Feb 18 05:11:07 EST 2019

Hi, I need to integrate external identity provider to Keycloak and in that External Identity provider all the info about the user is forwarded in Identity token.

This is what I get back from the /oidc/token endpoint

    "access_token": "AT-40-aswvpV85wez9xpZTNsmKnaFlkafmHPe7",
    "token_type": "bearer",
    "expires_in": 28800,
    "id_token": "JWTIDENTITYTOKEN"


  "jti": "XXXX",
  "iss": "XXXX",
  "aud": "XXXX",
  "exp": 1550511120,
  "iat": 1550482320,
  "nbf": 1550482020,
  "sub": "ZZZZZ",
  "profile_attributes": {
    "date_of_birth": "ZZZ",
    "family_name": "ZZZ",
    "given_name": "ZZZ"
  "amr": [
  "state": "hkMVY7vjuN7xyLl5",
  "nonce": "",
  "at_hash": "ndHD+z4/M/If7NGFUEOOig=="

1)      So as you can see, that Access_token is not in jwt format so that is a problem number 1 because Keycloak will give me a error when it gets it in that format. How to disable it or change it somehow?
"Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint."

2)      So then I mocked the IDP just to test it and changed Access_token to some jwt formated token and then it told me Invalid paramater, username is missing.

How to configure Keycloak like that I could get all the data from ID_token and having Access token in that format would not break the flow?



Disclaimer: This email and its attachments might contain confidential information. If you are not the intended recipient, then please note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Please notify the sender immediately by replying if you have received this e-mail by mistake and delete it from your system. Kindly note that although Finestmedia and its subsidiaries have taken reasonable precautions to ensure that no viruses are present in this email, Finestmedia and its subsidiaries cannot accept responsibility for any loss or damage arising from the use of this email or attachments.

More information about the keycloak-user mailing list