[keycloak-user] How to use identity provider broker (google and facebook) via ajax/api

Dmitry Telegin demetrio at carretti.pro
Sat Jun 22 09:43:58 EDT 2019 

Hello Cosmin,

You can use Facebook Login for websites [1] and Google Sign-In [2] in combination with Keycloak token exchange feature [3].

Once Facebook or Google login succeeds, you need to obtain a token and perform an external-to-internal token exchange [4], which will give you a standard set of OIDC tokens (access+ID+refresh). Please pay attention to the proper setup of token exchange permissions in Keycloak.

Also mind that token exchange doesn't yet support scope param [5], therefore you won't be able to obtain offline (long-lived) tokens from Keycloak, however there are workarounds for that.

[1] https://developers.facebook.com/docs/facebook-login
[2] https://developers.google.com/identity/sign-in/web/sign-in
[3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
[4] https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
[5] https://issues.jboss.org/browse/KEYCLOAK-6230

Good luck,
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Tue, 2019-06-11 at 15:30 +0300, Cosmin Ardeleanu wrote:
> Hello,
> 
> *Context*: We have a single page application made with Angular JS. We want
> to implement login via facebook and google, by using keycloak.
> 
> *Requirement*: We want to use ajax/api call, similar to
> "../protocol/openid-connect/token" (this end point is using user/pass to
> login").
> 
> *Problem*: The way the brokering works, is with a series of html redirects:
> start -> redirects to keycloak -> redirects to facebook or google -> back
> to keycloak -> back to start
> This is not compatible with a single page application.
> 
> *Question*:
> Is there any documentation (or work around) how to achieve login with
> facebook/google by using ajax/api calls, similar with the one for
> user/password ("../protocol/openid-connect/token" endpoint)?
> We need to be able to retrieve the token from facebook and google, and send
> it to keycloak, and keycloak should respond with the authentication token.
> 
> How can we do it?
> 
> Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list