FusionAuth Login Link

Keycloak Identity Brokering with FusionAuth

by

Introduction

In this article, we demonstrate how to use FusionAuth as an external Identity Provider (IdP) and authenticate users in your application through Keycloak.

Using Identity Brokering allows you to delegate authentication to external providers such as FusionAuth, Auth0, Okta, etc. Keycloak acts as the broker, your application remains the relying party, and FusionAuth becomes the authentication source.

This article focuses on using FusionAuth as an Identity Provider via the OpenID Connect (OIDC) protocol.

Overview

Below is the high-level sequence when a user logs in through FusionAuth via Keycloak:

  1. The user accesses your application.
  2. Your application redirects the user to Keycloak for authentication.
  3. On the Keycloak login screen, the user selects “FusionAuth”.
  4. Keycloak redirects the user to FusionAuth for login.
  5. The user authenticates at FusionAuth.
  6. FusionAuth redirects back to Keycloak with an authorization code.
  7. Keycloak exchanges the code for an access token from FusionAuth
  8. Keycloak fetches the user’s FusionAuth profile.
  9. Keycloak creates (or updates) a local user identity.
  10. Keycloak completes login and redirects the user back to your application with an ID token and/or access token for OIDC client.

This process allows your application to integrate only with Keycloak, while FusionAuth handles user authentication.

For more details on Identity Provider, please refer the Keycloak server admin guide.

For this article, we do not use a separate client application. Instead, we demonstrate the flow using Keycloak’s built-in Account Console.

Configuration Steps

Summary of steps

  1. Client application registration at Keycloak (we use the built-in account console rather than simulating through an external client application)
  2. Configure FusionAuth as OIDC Provider
  3. Configure Keycloak Identity Provider (Broker)
  4. Map user attributes
  5. Test the integration

Configure FusionAuth as OIDC provider

FusionAuth OIDC application snippet

In this article, we use a self-hosted FusionAuth instance running on:

http://localhost:9011

FusionAuth is running via Docker.

Since this is a local setup, both FusionAuth and Keycloak must run locally.

Step 1: Create an Application in FusionAuth

Navigate to:

Applications → Add Application

Fill the essential fields:

  • Name: keycloak-broker-app (arbitrary name)
  • Tenant: default

Click Save.

From the Applications list:

Click the dropdown next to keycloak-broker-app → Select Edit → Go to OAuth tab

Step 2: Enable Grants & specify URLs

✔ Authorization Code
✔ Refresh Token

Authorized Redirect URL

http://localhost:8080/realms/acme/broker/fusionauth/endpoint

This must match the Redirect URL shown in Keycloak when configuring the Identity Provider.

Logout URL

http://localhost:8080/realms/acme/broker/fusionauth/endpoint/logout_response

Save the changes.

Step 3: Obtain client credentials

Inside the same application:

Copy:

  • Client ID
  • Client Secret

You will need these in Keycloak.

Step 4: OIDC discovery URL

FusionAuth provides an OpenID Connect discovery endpoint:

http://localhost:9011/.well-known/openid-configuration

You can verify this URL in a browser.

Configuring Keycloak Identity Broker

  1. Log in to the Keycloak Admin Console.
  2. Select your realm (e.g., acme).
  3. Navigate to:

Identity Providers → Add Provider → OpenID Connect v1.0

Configure Provider

  • Alias: fusionauth
  • Client ID: (from FusionAuth)
  • Client Secret: (from FusionAuth)
  • Discovery Endpoint: http://localhost:9011/.well-known/openid-configuration

Click Show Metadata to auto-populate endpoints.

Click Save.

Make note of the Redirect URL shown in Keycloak — it must match the Authorized Redirect URL configured in FusionAuth.

Mapping Attributes During First Login

To map attributes from FusionAuth to Keycloak:

Navigate to:

Identity Providers → fusionauth → Mappers → Add Mapper

Username Mapper

  • Mapper Type: Attribute Importer
  • Claim: username
  • User Attribute: username

Email Mapper

  • Mapper Type: Attribute Importer
  • Claim: email
  • User Attribute: email

If your FusionAuth token includes given_name and family_name, you may also map:

  • given_name → firstName
  • family_name → lastName

These mappers allow Keycloak to store FusionAuth user attributes in the local user profile.

Test the intergration

Use the Keycloak Account Console:

http://localhost:8080/realms/<realm_name>/account

Example:

http://localhost:8080/realms/acme/account

Test Flow

  1. Access the Account Console URL.
  2. You will be redirected to the Keycloak login page.
  3. You should see a “FusionAuth” login option.
  4. Click FusionAuth.
  5. You are redirected to the FusionAuth login page.
  6. Enter FusionAuth credentials.
  7. After successful authentication, FusionAuth redirects back to Keycloak.
  8. Keycloak exchanges the authorization code and creates a local user (on first login).
  9. Authentication completes and you are redirected to the Account Console

Summary

In this article, we implemented Identity Brokering using a local instance of Keycloak and FusionAuth.

When FusionAuth is publicly accessible, you can use a managed Keycloak platform such as Skycloak instead of a local Keycloak installation.

This setup enables:

  • Centralized authentication management in FusionAuth
  • Applications integrating only with Keycloak
  • Clean separation of authentication and application logic
  • Standards-based OpenID Connect federation

About Skycloak

If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn more and securing your Keycloak deployments.

Skycloak is a fully managed Keycloak platform hosted in the cloud. It enables organizations to leverage the power of open-source Keycloak IAM without the operational overhead of installing, maintaining, and scaling production-grade Keycloak environments—delivered securely and cost-effectively.

Leave a Comment

© 2026 All Rights Reserved. Made by Yasser