JWT Authorization Grant and User Provisioning #46916

plovell · 2026-03-05T17:22:32Z

plovell
Mar 5, 2026

I have been investigating the preview feature 'JWT Authorization Grant' https://www.keycloak.org/securing-apps/jwt-authorization-grant for external to internal token exchange and have found that I can generate a token in the configured Okta IDP and then exchange that Token using the end point /realms/{realim}/protocol/openid-connect/token for a Keycloak token.

The end goal of this work is to allow a third party application pass an IDP token to our application which will then authenticate with Keycloak using the IDP token.

This works, as long as the IDP user already exists in Keycloak. If the IDP user does not exist in Keycloak I get a 'user not found' error.

If I login using the browser for the same IDP I can use the first broker login flow to automatically create the user.

My questions are:

Is this a configuration option already that I might have missed that would execute the first broker login flow?
If not, is there something else I can do to trigger the user creation?
Or can I create a Keycloak extension that would do similar?
Finally, with the above failing, is this a reasonable feature request?

plovell · 2026-03-05T17:26:25Z

plovell
Mar 5, 2026
Author

Somehow I missed this statement in the document I posted:

Keycloak requires the sub claim in the assertion to be the user identifier in the external provider. The Keycloak user should be previously linked to the Identity Provider. This way there is a link between the external and the internal user ID.

Which I guess answers my initial question. Is there anyway that the linking of the user and the keycloak user can be automated?

0 replies

Magublafix · 2026-03-27T08:32:51Z

Magublafix
Mar 27, 2026

I have the same problem. Does it only work right now if we link all users manually?

0 replies

plovell · 2026-03-27T09:20:34Z

plovell
Mar 27, 2026
Author

It would seem that this is the case, and that the change is intentional:

keycloak/services/src/main/java/org/keycloak/protocol/oidc/grants/JWTAuthorizationGrantType.java

Line 110 in 4f7be5f

//user must exist in keycloak

//user must exist in keycloak

Further to this it also seems that if the user does already exist, then the federated identity is not imported into Keycloak meaning that the external IDP cannot be the single source of truth for roles and groups when authenticating solely using this method.

it does look like importing a federated identity is supported in the external to internal token exchange provider:

keycloak/services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/ExternalToInternalTokenExchangeProvider.java

Line 99 in 4f7be5f

UserModel user = importUserFromExternalIdentity(context);

UserModel user = importUserFromExternalIdentity(context);

However, this is currently an experimental feature (not even preview), and it is not clear to me exactly how this would interact with the 'JWT Authorization Grant'.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JWT Authorization Grant and User Provisioning #46916

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

JWT Authorization Grant and User Provisioning #46916

Uh oh!

plovell Mar 5, 2026

Replies: 3 comments

Uh oh!

plovell Mar 5, 2026 Author

Uh oh!

Magublafix Mar 27, 2026

Uh oh!

plovell Mar 27, 2026 Author

plovell
Mar 5, 2026

plovell
Mar 5, 2026
Author

Magublafix
Mar 27, 2026

plovell
Mar 27, 2026
Author