Unable to refresh exchanged token

nickzelei · November 9, 2021, 12:32am

Hey all, I’m trying to figure out how to properly refresh an exchanged token.

I’m exchanging a token between two different clients within the same realm. I’ve got this working just fine, but the problem exists when the exchanged token expires and I need to get a new one.

When I take the refresh token and issue the refresh, the request comes back as invalid saying:

{
    "error": "invalid_grant",
    "error_description": "Invalid refresh token. Token client and authorized client don't match"
}

It looks like the refresh token that is returned is actually for the original client, not for the target client. The audience does not list the target client anywhere. I tested this and I’m able to use it against the source client, but I receive an access token for that client, instead of the exchanged client.

I’m doing token exchange with user auth instead of a service account like the online docs showcase, so my requests look like this:

POST <baseurl>/realms/:realm/protocol/openid-connect/token
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
client_id=starting-client
audience=target-client
subject_token=<token>

I take the refresh token from the response

POST <baseurl>/realms/:realm/protocol/openid-connect/token
grant_type=refresh_token
refresh_token=<token>
client_id=target-client

An alternative I guess is to just re-issue an exchange but I was hoping to already utilize the standard refresh logic that is built in to many libraries.

What am I doing wrong here?

nickzelei · November 9, 2021, 7:01pm

I’ve also submitted this issue here

github.com/keycloak/keycloak

Token Exchange setting incorrect clientId

opened 06:58PM - 09 Nov 21 UTC

closed 01:05PM - 29 Aug 22 UTC

nickzelei

kind/bug area/token-exchange status/triage

### Describe the bug I'm attempting to do an internal-to-internal token excha…nge. The exchange returns successfully, but it appears that the `issuedFor` or `azp` claim is set to the incorrect client. This poses a problem in that the exchanged token is not able to be refreshed with its access token because the refresh token is bound to the wrong client. I'm exchanging the token so that I can get the scopes, etc from the target client. That works great here, but I then need to be able to use the refresh token to exchange it for a new access token that has those same scopes. In the current state, I instead have to re-initiate the token exchange all over again. I'm I understanding token exchange correctly here? I took it that you take a token from client A and are able to completely exchange it for a token from client B. The way this is currently set up, the token is exchanged for another client A token, but that has been enriched with scopes from client B. Also, why is no identity token returned from the exchange? ### Version 15.0.2 ### Expected behavior The Access Token and Refresh token should have the `azp` set to the target client. ### Actual behavior The Access Token and Refresh token are set to the starting client. ### How to Reproduce? To reproduce, simply follow the internal-to-internal token exchange [docs](https://www.keycloak.org/docs/latest/securing_apps/#internal-token-to-internal-token-exchange) and inspect the tokens that are returned. The `azp` will be set to the starting client. Once the tokens have been exchanged, attempt to issue a refresh against the target-client. ``` POST /realms/:realm/protocol/openid-connect/token grant_type: refresh_token refresh_token: <token> client_id: target-client ``` Response: ``` { "error": "invalid_grant", "error_description": "Invalid refresh token. Token client and authorized client don't match" } ``` This makes sense given the `azp` is for the starting-client, not the target. ### Anything else? * [responseBuilder.getAccessToken().issuedfor(client.getClientId());](https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L342) * [responseBuilder.getRefreshToken().issuedFor(client.getClientId();](https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L342)

ndhai · April 12, 2022, 9:48am

I have a same issue. Are you resolved this?

Topic		Replies	Views
I cannot refresh a token with a public client	2	643	August 18, 2021
Token exchange error with an exchanged token as subject token Getting advice authentication , oidc	1	514	December 5, 2023
Refresh exchanged token Securing applications	0	362	December 13, 2021
Refresh token expiration time does not renew on usage Configuring the server token-exchange	1	2227	February 20, 2024
Token Exchange don't work when cross realm authentication , oidc	0	114	March 28, 2023

Unable to refresh exchanged token

Related Topics