Keycloak provides full functionality for using it both as Service Provider and Identity Brokering.
However, a BLOCKING BUG exists for using Keycloak as Identity Brokering and Social Login. Our users are mainly from external Identity Providers and we have many Clients with different functionality ( some of them use OTP compulsorily, others being able to deny access, multi factor authentication etc).

The problem is that any flow/ execution of Client Browser Flow is not executed after User log from external Identity Provider( case of Username Password Form and Identity Provider Redirector). For Keycloak Users everything is ok. An example can be found in this jira issue .

We want to mention that configure Identity Provider "Post Login Flow" is not acceptable for our case. Our flows ( OTP, deny access, multi factor authentication) is based on Client Browser Flow not in Identity Provider "Post Login Flow". Client Browser Flow MUST BE CONTINUED after Identity Provider "First Login Flow" and "Post Login Flow" have finished.

Our implementation saves in AuthNotes of AuthenticationSessionModel all needed information for Client Browser Flow ( AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION of Client Browser Flow, flowid) before redirecting to Identity Provider login. After Identity Provider login has successfully finished, Keycloak can retrieve all needed information for Client Browser Flow from AuthNotes of AuthenticationSessionModel and proceed with Client Browser Flow. Basic Identity Provider login flows have been tested together with Client Browser flows (OTP, deny access, multi factor authentication).

We have made a PR for this. Could you review it? Could you help us to overcome little tests failures? Details can be found in the PR.