Hello,
We are currently updating Keycloak 11.0.0 to Keycloak 14.0.0, so this change could have happened in any version in between. We are using the Token Exchange technology preview feature quite heavily, and some of our applications stopped working after the last update. These applications getting access tokens using Client Credentials Grant, and then exchanging them to another ‘audience’, so that they are accepted by an API that requires this other audience. We have set the permissions so that the target client authorizes our first client to exchange tokens.
I also tried the same Token Exchange request by using a user token from another public client, and this is working. I’m not sure if a client should be allowed to exchange tokens from another client.
I’m trying to make a request like this one shown in the documentation:
https://www.keycloak.org/docs/latest/securing_apps/#making-the-request
In summary:
- I have a confidential client:
test-confidential. - I have a public client:
test-public. - I have another client:
test-exchangeable. This client authorizestest-confidentialto exchange tokens.
This workflow doesn’t work:
- Get a token for
test-confidentialusing Client Credentials Grant. - Exchange this token audience with
test-exchangeableusing thetest-confidentialClient ID and Secret. - Result: {“error”:“invalid_token”,“error_description”:“Invalid token”}
This workflow works:
- Get a user token for
test-publicusing Password Grant. - Exchange this token audience with
test-exchangeableusing thetest-confidentialClient ID and Secret. - Result: same token as the original one, with the
test-exchangeableaudience.
For me this is not very intuitive, I was expecting test-confidential to be able to exchange any token with its own audience (even tokens for its service account), but not tokens minted for other clients. Is this a bug, or is there anything else I can try?
Thanks for your help.