Token exchange from client_credential grant

Hi,

I want to get a user token from a client credential token but I always got “Client not allowed to exchange”

I have created two client :

  • startClient who is the client used to do the token_exchange
  • demo who is the target client I want to echange

On demo client I add permissions (policy test allow startClient to use token_exchange) to do token exchange

I do my first request to get a startClient access_token whith this parameters

  • grant_type=client_credentials
  • client_id=startClient
  • client_secret=

I get my access token

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzX2lDaVN6Y0xLMTJzMHliZVFWTFFZcS1vWUxGR21RZnhLaUxfLU9BVjlRIn0.eyJleHAiOjE2NDk4NTY5MDcsImlhdCI6MTY0OTg1NjYwNywianRpIjoiMGVlNzI3NzEtY2Y4Zi00OWNiLTk5ZTctZTA0Mjg3Mzk0OWMwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9kZW1vIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhOGVhYTRiLWUyNTItNDUzZC1hOTQ0LWU0ZDU4NGYzN2YzNSIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0YXJ0Q2xpZW50IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtZGVtbyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJjbGllbnRJZCI6InN0YXJ0Q2xpZW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtc3RhcnRjbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiMTcyLjE3LjAuMSJ9.fY2thzpF7ySwyvN6qb6tOx_XkpVI5eL5aObBtqGm2TgMVRTtMntG5pWMiNX3dQl5kNC5BkykCVYPQP-eDkgY0E6slLKbSG9S_wo2W3TclAFZBAXdK827Pa6LSmge4gXeR9KhqC27iq1PIBxwM2so5QxJ3ZkrmCVtfmIOMq_luwbXgiVJfPJSNrp7yATamUcA165-ZWNZBuGpIaXxILJ6LsoQlgs7dHfYedL3d4OpVpMclgFxfQzE1IM0B2gQGJAUBBcBjufHxn9Ko4VV5Rq02PGL80uYfFTsI44fnQyPEplYRq_0A2I7S1Wt5-7HaANcyaRK_b9xnc4tPAW5Jc6kLg",
    "expires_in": 300,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "email profile"
}

I do the next request to do the token exchange with this parameters

  • grant_type=urn:ietf:params:oauth:grant-type:token-exchange
  • client_id=startClient
  • subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzX2lDaVN6Y0xLMTJzMHliZVFWTFFZcS1vWUxGR21RZnhLaUxfLU9BVjlRIn0.eyJleHAiOjE2NDk4NTY5MDcsImlhdCI6MTY0OTg1NjYwNywianRpIjoiMGVlNzI3NzEtY2Y4Zi00OWNiLTk5ZTctZTA0Mjg3Mzk0OWMwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9kZW1vIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhOGVhYTRiLWUyNTItNDUzZC1hOTQ0LWU0ZDU4NGYzN2YzNSIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0YXJ0Q2xpZW50IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtZGVtbyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJjbGllbnRJZCI6InN0YXJ0Q2xpZW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtc3RhcnRjbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiMTcyLjE3LjAuMSJ9.fY2thzpF7ySwyvN6qb6tOx_XkpVI5eL5aObBtqGm2TgMVRTtMntG5pWMiNX3dQl5kNC5BkykCVYPQP-eDkgY0E6slLKbSG9S_wo2W3TclAFZBAXdK827Pa6LSmge4gXeR9KhqC27iq1PIBxwM2so5QxJ3ZkrmCVtfmIOMq_luwbXgiVJfPJSNrp7yATamUcA165-ZWNZBuGpIaXxILJ6LsoQlgs7dHfYedL3d4OpVpMclgFxfQzE1IM0B2gQGJAUBBcBjufHxn9Ko4VV5Rq02PGL80uYfFTsI44fnQyPEplYRq_0A2I7S1Wt5-7HaANcyaRK_b9xnc4tPAW5Jc6kLg
  • requested_token_type=urn:ietf:params:oauth:token-type:refresh_token
  • audience=demo
  • requested_subject=
  • client_secret=

and I alwais have this response

{
“error”: “access_denied”,
“error_description”: “Client not allowed to exchange”
}

I also have this error in server logs

[org.keycloak.events] (executor-thread-167) type=TOKEN_EXCHANGE_ERROR, realmId=demo, clientId=startClient, userId=null, ipAddress=172.17.0.1, error=not_allowed, reason=‘subject not allowed to impersonate’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, impersonator=service-account-startclient, requested_subject=sginer, client_auth_method=client-secret

This post tell about the same pb but I dont understand how to configure user impersonnate

Regards

Stéphane GINER

I found others link with a lot of informaiton but they don’t work

If someone can help me ?

Regards

Stéphane

Hello,

I send this answerd for people who has yhe same pb.

Finally, token exchange work correctly if you use the correct container.

For my test on my mac M1 processor I have used this docker image quay.io/keycloak/keycloak:17.0.1 who is definitly not work !

I have changed my point of view and I have installed keycloak with the docker image mihaibob/keycloak:17.0.1-legacy on intel based mac and everythink work well.

I have not tested for the moment quay.io/keycloak/keycloak:17.0.1 on intel based mac but I think it also work well.

Regards

Stéphane GINER

Did you enable token exchange feature? Running Keycloak in a container - Keycloak

Yes I enable token exchange