[keycloak-dev] token exchange

I've implemented a simple token exchange API [1] that allows you to exchange an access token created for one client to another client. The REST API follows the oauth token exchange api [2] very loosely. subject_token: a keycloak access token audience: takes a client id It then converts the access token created for one client and converts it to another. It lives under the token endpoint. The security model is as follows: * Authenticate calling client the same way as password grant. * The calling client must have service account enabled * Service account must have a realm role "token-exchanger" grant edto it or, it must have a client role "token-exchanger" granted to it. This exchanger client role is a role defined by the target client you are exchanging the token to. Is this a good security model? I'm thinking of not creating these roles right now and to enable support for exchange would require defining the roles specified above. Future work would be to have an additional subject_issuer and requested_issuer parameters. "subject_issuer" would match to a broker alias, so you could exchange a facebook token for a keycloak realm token. Same thing goes for "requested_issuer". This would allow you to exchange a Keycloak token for a facebook token or some other registered broker. [1] https://github.com/keycloak/keycloak/pull/4362 [2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt