I’m working on an internal application, which uses keycloak for user auth.
I have run into problems while getting the exchange token from keycloak
In the keycloak dashboard I’ve set up azure as identity provider, with a token-exchange policy for my-app client within my-realm.
At this point after signin in the app I can get a JWT access_token from Azure with User.Read permission
I am then asking keycloak to exchange it for its own tokens within the realm, so that the app can go back to a “normal” auth flow:
curl --location --request POST ‘http://localhost:8080/auth/realms/openapi/protocol/openid-connect/token’ \
–header ‘Content-Type: application/x-www-form-urlencoded’ \
–data-urlencode ‘client_id=my-app’ \
–data-urlencode ‘client_secret={secret from client}’ \
–data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:token-exchange’ \
–data-urlencode ‘subject_token= {Access token}’ \
–data-urlencode ‘subject_issuer=microsoft’ \
–data-urlencode ‘requested_token_type=urn:ietf:params:oauth:token-type:access_token’ \
–data-urlencode ‘subject_token_type=urn:ietf:params:oauth:token-type:access_token’
but I get this below error
15:29:05,144 WARN [org.keycloak.events] (default task-1) type=TOKEN_EXCHANGE_ERROR, realmId=ae36dfed-f6be-46e0-a29d-d38b8798da48, clientId=cytricapi, userId=null, ipAddress=127.0.0.1, error=invalid_token, reason=‘user info service disabled’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=azureAd, validation_method=‘user info’, client_auth_method=client-secret
Please help with the same