During token exchange, Keycloak's policy doesn't use the roles in the token

Was exploring token exchange, so I set a role policy on token exchange, to only permit token exchange for a foo client if in possession of role bar:token-exchange.

Since bar is going to always do token exchange, i used a hardcoded role, set up as a mapper, in bar, so that i don’t have to set it all the time for every user, but the policy never triggers, because even though bar’s token has bar:token-exchange, that isn’t part of the evaluation when keycloak evaluates the policy for token exchange.

(I’m using this role as a proxy for “only bar tokens can be exchanged”. I know I could use a client policy, but a client policy means it could use any other client’s token for the exchange, but I only want to allow exchange using bar’s tokens.)

Should this be considered a bug?

Wait… or is the policy for the token-exchange meant to refer to the roles available in the outgoing, about-to-be-minted token?

Like if i’m exchanging a bar token for a foo token, the role must be available in the foo token?