Hey all, I’m trying to figure out how to properly refresh an exchanged token.
I’m exchanging a token between two different clients within the same realm. I’ve got this working just fine, but the problem exists when the exchanged token expires and I need to get a new one.
When I take the refresh token and issue the refresh, the request comes back as invalid saying:
It looks like the refresh token that is returned is actually for the original client, not for the target client. The audience does not list the target client anywhere. I tested this and I’m able to use it against the source client, but I receive an access token for that client, instead of the exchanged client.
I’m doing token exchange with user auth instead of a service account like the online docs showcase, so my requests look like this:
POST <baseurl>/realms/:realm/protocol/openid-connect/token
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
client_id=starting-client
audience=target-client
subject_token=<token>
I take the refresh token from the response
POST <baseurl>/realms/:realm/protocol/openid-connect/token
grant_type=refresh_token
refresh_token=<token>
client_id=target-client
An alternative I guess is to just re-issue an exchange but I was hoping to already utilize the standard refresh logic that is built in to many libraries.