Hello,

we use Keycloak as IDP for our APIs and I want to get rid of the static username & password login flows used for testing in CI pipelines. My idea is to use the tokens provided by CircleCI or GitHub in order to exchange those for a JWT from our Keycloak with suitable roles set to run a test.

It seems to me like Keycloak Token Exchange - external to internal should be able to solve this, but I can't add the CircleCI IDP to Keycloak.

My problem is in the "Add OpenID Connect v1.0 provider" screen:

CircleCI provides only an issuer and jwks_uri but not an authorization or token URL and it also doesn't require client ID or secret.

The .well-known/openid-configuration of the CircleCI IDP looks like this:

{
    "claims_supported": [
        "aud",
        "sub",
        "iss",
        "iat",
        "exp",
        "oidc.circleci.com/project-id",
        "oidc.circleci.com/context-ids",
        "oidc.circleci.com/vcs-ref",
        "oidc.circleci.com/vcs-origin"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "issuer": "https://oidc.circleci.com/org/OUR-ACCOUNT-UUID",
    "jwks_uri": "https://oidc.circleci.com/org/OUR-ACCOUNT-UUID/.well-known/jwks-pub.json",
    "request_uri_parameter_supported": false,
    "response_types_supported": [
        "id_token"
    ],
    "scopes_supported": [
        "openid"
    ],
    "service_documentation": "https://circleci.com/docs/2.0/openid-connect-tokens/",
    "subject_types_supported": [
        "public",
        "pairwise"
    ]
}

So my questions are:

1. What is the way to implement token exchange via OIDC ID token and checking / mapping the claims set in the ID token against rules or users set in Keycloak?
2. How to add the CircleCI IDP with the given limited (JWKS only) features to Keycloak?