[keycloak-dev] token exchange

Bill Burke bburke at redhat.com
Fri Jul 28 16:24:45 EDT 2017

I've implemented a simple token exchange API [1] that allows you to 
exchange an access token created for one client to another client.  The 
REST API follows the oauth token exchange api [2] very loosely.

subject_token: a keycloak access token

audience: takes a client id

It then converts the access token created for one client and converts it 
to another.  It lives under the token endpoint.

The security model is as follows:

* Authenticate calling client the same way as password grant.

* The calling client must have service account enabled

* Service account must have a realm role "token-exchanger" grant edto it 
or, it must have a client role "token-exchanger" granted to it.  This 
exchanger client role is a role defined by the target client you are 
exchanging the token to.

Is this a good security model?  I'm thinking of not creating these roles 
right now and to enable support for exchange would require defining the 
roles specified above.

Future work would be to have an additional subject_issuer and 
requested_issuer parameters.  "subject_issuer" would match to a broker 
alias, so you could exchange a facebook token for a keycloak realm 
token.  Same thing goes for "requested_issuer". This would allow you to 
exchange a Keycloak token for a facebook token or some other registered 

[1] https://github.com/keycloak/keycloak/pull/4362

[2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt

More information about the keycloak-dev mailing list