keycloak token exchange - sample request - internal to internal client
Ensure you have keycloak token-exchange feature turned on
docker run --name mykeycloak -v c:\work\keycloak\conf:/opt/keycloak/conf -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KC_METRICS_ENABLED=true -e KC_HEALTH_ENABLED=true -e KC_FEATURES="token-exchange, admin-fine-grained-authz" -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.3 start-dev --cache-config-file=cache.xml
Simply using token-exchange might not be adequate.
To get started with token exchange, we need to set up 2 internal clients.
1. client to generate the token - Client will be called "selfservice_bff_unprivledge". This is the source of the token. This client is just a confidential client.
2. Client that will allow token-exchange to happen. You need to configure this client here - to say I am going to allow token exchange here with client "selfservice_bff_unprivledge". Create a confidential client called selfservice_bff_privledge"
To setup token exchange, follow these steps below:
Client B -> Goto Permission -> Enable Permission -> Token Exchange
This means we can use selfservice_bff_unprivledge to exchange for a token with .
In the POST request, you need to also include the token in your Authorization Header.
- client_id: "selfservice_bff_
unprivileged" - grant_type:"urn:ietf:params:
oauth:grant-type:token- exchange" - client_secret: "<secret>"
- requested_token_type: "urn:
ietf:params:oauth:token-type: refresh_token" - audience: "selfservice_bff_
privileged" - subject_token: "your-token-from-client-credential-request-earlier"
Don't forget to include the same token that you put in 'subject_token' in your Authorization Bear Header when you're making this post request.
Upon successful, you will be able to get this sample response. On the left is the decode token from token-exchanged request.
On the right, is the initial token we obtained from a client credential request.
Comments