I’m working on a token-exchange request of keycloak wherein trying to get the access token of client2 while being authenticated with client1.
Have enabled token_exchange and admin_fine_grained_authz on keycloak instance.
Followed the documentation from Securing Applications and Services Guide
When I hit the API for token exchange as
curl --location 'http://<URL>/realms/Genting/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=client2' \
--data-urlencode 'client_secret=<client2 secret>' \
--data-urlencode 'subject_token=<client1 token> \
--data-urlencode 'audience=client2' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
In response, I’m getting
{
"error": "access_denied",
"error_description": "Client is not within the token audience"
}
Is there some setting I missed here that prevented me from receiving the token correctly or can someone redirect me to any page where I can get more details about the error?
Thanks in Advance
