Trying to impersonate a user using the preview token exchange functionality


I’m trying to impersonate a user using the token exchange functionality but I always get the error that the client is not allowed to exchange.

This is the request I’m doing using the WebFlux WebClient:

    MultiValueMap<String, String> formData = new LinkedMultiValueMap<>();
    formData.add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange");
    formData.add("requested_token_type", "urn:ietf:params:oauth:token-type:access_token");
    formData.add("client_id", keycloakClientId);
    formData.add("requested_subject", userId);
    formData.add("subject_token", token);
    return WebClient.create()
        .uri(authServerUrl + "/realms/" + authServerRealm + "/protocol/openid-connect/token")
        .exchangeToMono(clientResponse -> clientResponse.bodyToMono(AccessTokenResponse.class));

The response I get is this one:

{"error":"access_denied","error_description":"Client not allowed to exchange"}

What I am doing wrong? Why does the client need to be allowed to exchange since this impersonation and not client token exchange. Does the client need to be confidential for this to be done?

1 Like