Token exchange - retrieve id_token fails

mteodor · November 19, 2021, 12:42pm

Hi I want to use exchange token feature to impersonate user
First I retrieve access token for admin and then I want to retrieve id_token for specific user but request fails

curl -L -X POST 'https://auth.domain.com/auth/realms/master/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=client_app' \
--data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:id_token" \
--data-urlencode 'client_secret=xxxxxxxxxxxxxx' -d "requested_subject=some_user" -d "subject_token=....."  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"                                                                        
{"error":"invalid_request","error_description":"requested_token_type unsupported"}

If make request with urn:ietf:params:oauth:token-type:access_token access token for requested user is succsesfully retrieved.
So, where do I make mistake?

mteodor · November 19, 2021, 1:02pm

This doesnt seem aligned to docs

github.com

keycloak/keycloak/blob/bfce612641a70e106b20b136431f0e4046b5c37f/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L186


      
          
          @Override
          public Response exchangeFromToken(UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject, MultivaluedMap<String, String> params) {
              // check to see if we have a token exchange in session
              // in other words check to see if this session was created by an external exchange
              Response tokenResponse = hasExternalExchangeToken(event, tokenUserSession, params);
              if (tokenResponse != null) return tokenResponse;
          
              // going further we only support access token type?  Why?
              String requestedType = params.getFirst(OAuth2Constants.REQUESTED_TOKEN_TYPE);
              if (requestedType != null && !requestedType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
                  event.detail(Details.REASON, "requested_token_type unsupported");
                  event.error(Errors.INVALID_REQUEST);
                  return exchangeUnsupportedRequiredType();
              }
              if (!getConfig().isStoreToken()) {
                  // if token isn't stored, we need to see if this session has been linked
                  String brokerId = tokenUserSession.getNote(Details.IDENTITY_PROVIDER);
                  brokerId = brokerId == null ? tokenUserSession.getNote(IdentityProvider.EXTERNAL_IDENTITY_PROVIDER) : brokerId;
                  if (brokerId == null || !brokerId.equals(getConfig().getAlias())) {
                      event.detail(Details.REASON, "requested_issuer has not linked");

requested_token_type
OPTIONAL. This parameter represents the type of token the client wants to exchange for. Currently only oauth and OpenID Connect token types are supported. The default value for this depends on whether it is urn:ietf:params:oauth:token-type:refresh_token in which case you will be returned both an access token and refresh token within the response. Other appropriate values are urn:ietf:params:oauth:token-type:access_token and urn:ietf:params:oauth:token-type:id_token

emmanuelmathot · March 1, 2022, 10:05am

Indeed, the doc is not up to date. When you set scope parameter to openid in the request, you get the id_token. Documentation states this is not implemented.

Topic		Replies	Views
Token exchange using id_token Getting advice authentication , oidc	1	1418	March 25, 2022
Token Exchange don't work when cross realm authentication , oidc	0	268	March 28, 2023
Unable to exchange token from google identity provider access token to Keycloak token	0	176	July 10, 2024
Keycloak Cross Realm Token Exchange Securing applications authentication	2	1688	May 29, 2023
Token exchange error with an exchanged token as subject token Getting advice authentication , oidc	1	763	December 5, 2023

Token exchange - retrieve id_token fails

Related topics