Hi,
I’m in this situation:
Keycloak 26.0.1 with token-exchange feature enabled in a docker container.
Front-end ReactJs with library react-oidc-context and a client in Keycloak (standard flow)
Back-end with Springboot 3.3.x and a client in Keycloak (direct access, service account roles)
Everything works just fine, now I’d like to add the impersonation feature, so that admin can login in the app and impersonate a user for support purpose.
I enabled the token exchange feature, and add impersonate role to a user who is admin.
I’d like to have the token from the backend, so my very simple flow would be:
1. from the frontend the admin user log in
2. call a backend api which gives back the access token, refresh token ecc of the new user selected
3. replace the current with the new one, reload and you are in with the new user.
The api at the moment call Keycloak but with the Back-end client id, and I’m not sure is correct.
I made some test using postman and it seemed to work, but when implemented in the front end it does not work.
Basically with postman I call first this:
/realms/{realm}/protocol/openid-connect/token
with:
grand_type: password.
client_id: the backend
username, password of the admin user
client_secret
I got the access_token, refresh_token, and other info in the usual keycloak response.
Then I call the same end point but with this info:
grant_type: urn:ietf:params:oauth:grant-type:token-exchange
client_id: the backend
subject_token: the one received before
request_subject: the id of the user I want to impersonate
client_secret, same as before
this works just fine.
If I recall the same via my react app it does not work, it says Client is not within the token audience.
Now I think it happens, but I’m a newbie, because the token I pass to the second call has been created with the frontend client.
What is the right procedure or what I miss or do wrong?
thanks a million