Has any tried out these steps documented in Securing Applications and Services Guide ? I have a client that needs to impersonate a user and these steps did not help, so in addition you will notice that the same policy has been added to scope “impersonate” in addition to the documentation which asked to add the policy under scope “user-impersonated”. Neither of helped, can some one point me to the steps needed to fix this to allow naked impersonation?
Realm/client/policy/user details in the attached picture.
Query:
curl -k -X POST
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode “client_id=starting-client”
–data-urlencode “client_secret=031dce0a-d41b-43ce-aa95-d54b9081937e”
–data-urlencode “grant_type=urn:ietf:params:oauth:grant-type:token-exchange”
–data-urlencode “requested_subject=target-user”
https://localhost:8543/auth/realms/target_realm/protocol/openid-connect/token
Response:
{“error”:“access_denied”,“error_description”:“Client not allowed to exchange”}
Server logs:
22:40:08,396 WARN [org.keycloak.events] (default task-149) type=TOKEN_EXCHANGE_ERROR, realmId=target_realm, clientId=starting-client, userId=null, ipAddress=172.17.0.1, error=not_allowed, reason=‘client not allowed to impersonate’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_subject=target-user, client_auth_method=client-secret
1 Like
Steps documented in Securing Applications and Services Guide is incorrect, instead of user-impersonated scope just use scope “impersonate” and it worked fine.
3 Likes
Drane
August 6, 2021, 12:37pm
3
@ceejayrao Is that all you did?
If I try your config in screenshots (which matches the one in the keyloak docs), even with changing the “user-impersonated” scope to “impersonate” like this:
I still receive:
λ curl -X POST -d "client_id=eco-uma-be-api" -d "client_secret=ea99b160-ed89-4b8a-8d3e-3dd7814ae35d" --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" -d "requested_subject=1e4ddf3d-f5d2-4085-81eb-86bdf363d01d" http://localhost:8080/auth/realms/master/protocol/openid-connect/token
{"error":"access_denied","error_description":"Client not allowed to exchange"}
And on the back-end:
14:33:42,367 WARN [org.keycloak.events] (default task-4) type=TOKEN_EXCHANGE_ERROR, realmId=master, clientId=eco-uma-be-api, userId=null, ipAddress=127.0.0.1, error=not_allowed, reason='client not allowed to impersonate', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_subject=1e4ddf3d-f5d2-4085-81eb-86bdf363d01d, client_auth_method=client-secret
Did you do something else to make this work? Does the user you want to impersonate need a specific role mapping perhaps?
@Drane @ceejayrao
I am facing same issue -
did you found any resolution on this? if so can you please let me know what you do to fix this?
{
"error": "access_denied",
"error_description": "Client not allowed to exchange"
}