Modifying First Broker Login Flow

First Broker Login flow is used during first login with some identity provider. Term First
Loginmeans that there is not yet existing Keycloak account linked with the particular
authenticated identity provider account. For more details about this flow see the Identity
Brokering chapter in Server Administration Guide .

Authentication of clients
Keycloak actually supports pluggable authentication for OpenID Connect client applications.
Authentication of client (application) is used under the hood by the Keycloak adapter during
sending any backchannel requests to the Keycloak server (like the request for exchange code to
access token after successful authentication or request to refresh token). But the client
authentication can be also used directly by you during Direct Access
grants (represented by OAuth2 Resource Owner Password Credentials Flow)
or during Service account authentication (represented by OAuth2 Client
Credentials Flow).

For more details about Keycloak adapter and OAuth2 flows see Securing Applications and
Services Guide.

Default implementations
Actually Keycloak has 2 default implementations of client authentication:

Traditional authentication with client_id and client_secret

This is default mechanism mentioned in the OpenID Connect or OAuth2 specification

and Keycloak supports it since it’s early days. The public client needs to
include client_id parameter with its ID in the POST request (so it’s defacto not
authenticated) and the confidential client needs to include Authorization:
Basic header with the clientId and clientSecret used as username and password.