Brokering overview

When using Keycloak as an identity broker, Keycloak does not force users to provide their credentials to authenticate in a specific realm. Keycloak displays a list of identity providers from which they can authenticate.

If you configure a default identity provider, Keycloak redirects users to the default provider.

Different protocols may require different authentication flows. All the identity providers supported by Keycloak use the following flow.
Identity broker flow

Identity broker flow

  1. The unauthenticated user requests a protected resource in a client application.

  2. The client application redirects the user to Keycloak to authenticate.

  3. Keycloak displays the login page with a list of identity providers configured in a realm.

  4. The user selects one of the identity providers by clicking its button or link.

  5. Keycloak issues an authentication request to the target identity provider requesting authentication and redirects the user to the identity provider’s login page. The administrator has already set the connection properties and other configuration options for the Admin Console’s identity provider.

  6. The user provides credentials or consents to authenticate with the identity provider.

  7. Upon successful authentication by the identity provider, the user redirects back to Keycloak with an authentication response. Usually, the response contains a security token used by Keycloak to trust the identity provider’s authentication and retrieve user information.

  8. Keycloak checks if the response from the identity provider is valid. If valid, Keycloak imports and creates a user if the user does not already exist. Keycloak may ask the identity provider for further user information if the token does not contain that information. This behavior is identity federation. If the user already exists, Keycloak may ask the user to link the identity returned from the identity provider with the existing account. This behavior is account linking. With Keycloak, you can configure Account linking and specify it in the First Login Flow. At this step, Keycloak authenticates the user and issues its token to access the requested resource in the service provider.

  9. When the user authenticates, Keycloak redirects the user to the service provider by sending the token previously issued during the local authentication.

  10. The service provider receives the token from Keycloak and permits access to the protected resource.

Variations of this flow are possible. For example, the client application can request a specific identity provider rather than displaying a list of them, or you can set Keycloak to force users to provide additional information before federating their identity.

At the end of the authentication process, Keycloak issues its token to client applications. Client applications are separate from the external identity providers, so they cannot see the client application’s protocol or how they validate the user’s identity. The provider only needs to know about Keycloak.