-
Notifications
You must be signed in to change notification settings - Fork 29
Do you need token‐exchange?
Before we answer this question, let's first understand what token-exchange really is in this context.
What is token-exchange?
Imagine you have non-Keycloak tokens, like Google access_tokens, that enable you to access Google's API. However, your Application likely only supports Keycloak tokens.
In order to get Keycloak tokens, you can send your non-Keycloak tokens to Keycloak. It verifies the tokens and returns new Keycloak tokens that your application supports.
Ask yourself, if the whole login stays in the browser?
If the answer is yes, then NO token exchange is needed.
If no, then you like have a native app that deals with native/proprietary logins, which need a token exchange.
Imagine, you want to support native Google/Apple Login on your native iOS/Android App WITHOUT a browser window opening. You likely use some sort of Google/Apple SDK to create a native login experience.
After you retrieved the tokens from the SDK, you likely end up with an authorization_code, id_token, access_token or refresh_token. Now you can exchange one of these tokens to Keycloak tokens that your Application supports (in case of this extension just authorization_code and id_token from Apple are supported for exchange).