@graziang Did you manage to have successfully working external-to-internal token exchange with Facebook token and with ExternalToInternalTokenExchangeProvider ? I have some doubts it would work with your PR as the FacebookIdentityProvider does not implement exchangeExternalTokenV2Impl method in your PR. I see the change in doGetFederatedIdentity(), which is the method triggered during classic "Login with Facebook", but not during token exchange AFAIK. It may seem to me that this method does not need to be changed anyhow?

I think that right now, the steps for testing this might be like:

• Start KC server with ./kc.sh start-dev --features=admin-fine-grained-authz:v1,token-exchange-external-internal:v2
• Setup Facebook IDP in some realm and issue Facebook token somehow (Might be probably through Keycloak login and user clicking to "Login to Facebook")
• Setup some client and FGAP:v1 for external-to-internal as mentioned in the external-to-internal docs (I think we will need to get rid of FGAP being required like we have for standard token exchange, but right now, it is still required in ExternalToInternalTokenExchangeProvider ).
• Exchange external to internal as described in the docs for external-internal and make sure that ExternalToInternalTokenExchangeProvider was triggered and Keycloak token was issued successfully based on Facebook token and verification took place.

@mposolda Thanks for the review, I messed up the requirements. I've updated the PR and successfully tested everything manually.