In IDOT TREC, we needed to call the Keycloak token endpoint to exchange the authorization code for access and refresh tokens::
https://github.com/ncsa/idot-pma/blob/dc94269453cbfba5ef7dd2802f3f1d8be1aa849c/backend/clowder/users.py#L153-L160

The issue was that even though the login was successful with Keycloak, the user was never created in Mongo, so Clowder wasn’t aware of the existing Keycloak user. We need to trigger this logic outside of Clowder, from the TREC side:

I think we can reuse the logic of the /api/v2/auth endpoint in a new /api/v2/auth/token endpoint for external applications that use Clowder as a dependency. This new endpoint would simply return whatever Keycloak returns for a given authorization code. That way, instead of calling keycloak_openid.token(...) directly from the TREC backend to get access and refresh tokens, we could call Clowder’s /api/v2/auth/token endpoint, which wraps the Keycloak endpoint but also ensures user records are created in Mongo.