Blog / Articles

JWT Authorization Grant in Keycloak with External IdP

George Thomas George Thomas 3 min read
JWT Bearer Token

Introduction

Keycloak supports the JWT Authorization Grant Flow, which allows a client to exchange an existing JWT for an access token without requiring a direct user login at Keycloak.

This is particularly useful when:

  • You already trust an external Identity Provider (IdP)
  • You want backend-to-backend authentication
  • You want to avoid browser-based login flows

In this article, we demonstrate how to use an external IdP like Auth0 with Keycloak.

Overview

The JWT Authorization Grant request looks like this:

POST "http://keylcoak-hostname/realms/your-realm/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" \
  -d "client_id=custom-client" \
  -d "client_secret=the-client-secret" \
  -d "assertion=bearer-token-valiue"

Append curl -X to the above request.

Here:

  • assertion → JWT issued by external IdP
  • Keycloak validates and exchanges it for a new access token

Architecture

Auth0 (Token Issuer)
        ↓
JWT (id_token / access_token)
        ↓
Keycloak (Validation via JWKS)
        ↓
Keycloak Access Token

For more details, please refer this link.

How Keycloak Trusts External Tokens

To validate the JWT, Keycloak requires the issuer to be configured as an Identity Provider.

Why this is required

Even without login redirects, Keycloak uses IdP configuration for:

  • Signature validation (via JWKS)
  • Issuer trust
  • User mapping

Step 1: Configure Identity Provider

In Keycloak:

Realm → Identity Providers → OpenID Connect v1.0

Configure Auth0 with:

  • Issuer URL
  • JWKS endpoint

If you are new to Identity Brokering, please refer this article, although some of the steps are not required.

Step 2: Important Setting

Enable:

JWT Authorization Grant = ON

Enable:

Allow assertion reuse = ON

⚠️ Note

This is required if the incoming JWT does not contain a jti claim.

However:

  • This reduces replay protection
  • Not recommended for production systems
Screen Shot from Identity Provider Configuration

Step 3: Obtain JWT from Auth0

Create an application in Auth0 and retrieve a token.

In my case:

  • I used a Spring Boot application to authenticate with Auth0
  • Retrieved both:
    • access_token
    • id_token

⚠️ Important Observation

The access_token from Auth0 contained multiple audiences:

"aud": [
  "custom-ext-client",
  "https://your-domain.auth0.com/userinfo"
]

This is not accepted by Keycloak, as it expects a single audience.

Workaround Used

I used the id_token instead because:

  • It contained a single audience
  • It passed Keycloak validation

In Keycloak, I configured: (while doing step 4)

Custom Audience Mapping:
Key   → auth0
Value → <Auth0 client ID> (the audience value in my case)

⚠️ Recommendation

  • id_token is intended for authentication
  • For production systems, prefer:
    • properly configured access_token
    • or Token Exchange

Step 4: Configure Keycloak Client

Create a client in Keycloak:

  • Client Type: Confidential
  • Enable: JWT Authorization Grant

Then configure:

Allowed Identity Providers = auth0

Snippet from the OIDC client settings

Test the Flow

  1. Obtain JWT from Auth0
  2. Execute the curl request (specified in the Overview session)

If everything is configured correctly, Keycloak will return:

  • Access token

When is This Useful?

This approach is useful in:

  • Backend-to-backend authentication
  • Token federation across IAM systems
  • Microservices architectures with multiple IdPs
  • Gradual IAM migration scenarios

Summary

iIn this article, we explored how to use JWT Authorization Grant in Keycloak with an external Identity Provider.

Key takeaways:

  • Keycloak strictly validates JWT structure
  • Audience must be single-valued
  • IdP configuration is mandatory
  • id_token can be used for experimentation, but not ideal for production

In another article, I will try to use a custom JWTs using Node.js

About Skycloak

Skycloak is a fully managed Keycloak platform hosted in the cloud. It enables organizations to leverage the power of open-source Keycloak IAM without the operational overhead of installing, maintaining, and scaling production-grade Keycloak environments — delivered securely and cost-effectively.

If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn more

George Thomas
Written by George Thomas IAM Engineer

George is an IAM engineer with 23+ years in software engineering, including 14+ years specializing in identity and access management. He designs and modernizes enterprise IAM platforms with deep expertise in Keycloak, OAuth 2.0, OpenID Connect, SAML, and identity federation across cloud and hybrid environments. Previously at Trianz and a long-term contributor to Entrust IAM product engineering, George authors Skycloak's technical Keycloak tutorials.

View all posts

Ready to simplify your authentication?

Deploy production-ready Keycloak in minutes. Unlimited users, flat pricing, no SSO tax.

Start Free Trial Talk to Sales

Related Articles

Comparison
Articles Auth0 vs Keycloak: Login & Token Customization April 7, 2026 · 3 min read
CI/CD pipieline
Articles Keycloak CI/CD with GitHub Actions and Terraform March 24, 2026 · 3 min read
Keycloak Configuration
Articles Keycloak Configuration as Code with Terraform March 24, 2026 · 3 min read
© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman