Direct Naked Impersonation

Has any tried out these steps documented in Securing Applications and Services Guide? I have a client that needs to impersonate a user and these steps did not help, so in addition you will notice that the same policy has been added to scope “impersonate” in addition to the documentation which asked to add the policy under scope “user-impersonated”. Neither of helped, can some one point me to the steps needed to fix this to allow naked impersonation?

Realm/client/policy/user details in the attached picture.

curl -k -X POST
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode “client_id=starting-client”
–data-urlencode “client_secret=031dce0a-d41b-43ce-aa95-d54b9081937e”
–data-urlencode “grant_type=urn:ietf:params:oauth:grant-type:token-exchange”
–data-urlencode “requested_subject=target-user”
{“error”:“access_denied”,“error_description”:“Client not allowed to exchange”}

Server logs:
22:40:08,396 WARN [] (default task-149) type=TOKEN_EXCHANGE_ERROR, realmId=target_realm, clientId=starting-client, userId=null, ipAddress=, error=not_allowed, reason=‘client not allowed to impersonate’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_subject=target-user, client_auth_method=client-secret


Steps documented in Securing Applications and Services Guide is incorrect, instead of user-impersonated scope just use scope “impersonate” and it worked fine.


@ceejayrao Is that all you did?

If I try your config in screenshots (which matches the one in the keyloak docs), even with changing the “user-impersonated” scope to “impersonate” like this:

I still receive:

λ curl -X POST -d "client_id=eco-uma-be-api" -d "client_secret=ea99b160-ed89-4b8a-8d3e-3dd7814ae35d" --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" -d "requested_subject=1e4ddf3d-f5d2-4085-81eb-86bdf363d01d" http://localhost:8080/auth/realms/master/protocol/openid-connect/token
{"error":"access_denied","error_description":"Client not allowed to exchange"}

And on the back-end:

14:33:42,367 WARN  [] (default task-4) type=TOKEN_EXCHANGE_ERROR, realmId=master, clientId=eco-uma-be-api, userId=null, ipAddress=, error=not_allowed, reason='client not allowed to impersonate', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_subject=1e4ddf3d-f5d2-4085-81eb-86bdf363d01d, client_auth_method=client-secret

Did you do something else to make this work? Does the user you want to impersonate need a specific role mapping perhaps?

@Drane @ceejayrao
I am facing same issue -
did you found any resolution on this? if so can you please let me know what you do to fix this?


"error": "access_denied",

"error_description": "Client not allowed to exchange"