[keycloak-dev] token exchange
bburke at redhat.com
Fri Jul 28 16:24:45 EDT 2017
I've implemented a simple token exchange API  that allows you to
exchange an access token created for one client to another client. The
REST API follows the oauth token exchange api  very loosely.
subject_token: a keycloak access token
audience: takes a client id
It then converts the access token created for one client and converts it
to another. It lives under the token endpoint.
The security model is as follows:
* Authenticate calling client the same way as password grant.
* The calling client must have service account enabled
* Service account must have a realm role "token-exchanger" grant edto it
or, it must have a client role "token-exchanger" granted to it. This
exchanger client role is a role defined by the target client you are
exchanging the token to.
Is this a good security model? I'm thinking of not creating these roles
right now and to enable support for exchange would require defining the
roles specified above.
Future work would be to have an additional subject_issuer and
requested_issuer parameters. "subject_issuer" would match to a broker
alias, so you could exchange a facebook token for a keycloak realm
token. Same thing goes for "requested_issuer". This would allow you to
exchange a Keycloak token for a facebook token or some other registered
More information about the keycloak-dev