Unable to refresh exchanged token

Hey all, I’m trying to figure out how to properly refresh an exchanged token.

I’m exchanging a token between two different clients within the same realm. I’ve got this working just fine, but the problem exists when the exchanged token expires and I need to get a new one.

When I take the refresh token and issue the refresh, the request comes back as invalid saying:

    "error": "invalid_grant",
    "error_description": "Invalid refresh token. Token client and authorized client don't match"

It looks like the refresh token that is returned is actually for the original client, not for the target client. The audience does not list the target client anywhere. I tested this and I’m able to use it against the source client, but I receive an access token for that client, instead of the exchanged client.

I’m doing token exchange with user auth instead of a service account like the online docs showcase, so my requests look like this:

POST <baseurl>/realms/:realm/protocol/openid-connect/token

I take the refresh token from the response

POST <baseurl>/realms/:realm/protocol/openid-connect/token

An alternative I guess is to just re-issue an exchange but I was hoping to already utilize the standard refresh logic that is built in to many libraries.

What am I doing wrong here?

1 Like

I’ve also submitted this issue here

1 Like

I have a same issue. Are you resolved this?