[keycloak-dev] token exchange permission model

Right now I have a "exchange-from" and "exchange-to" permission when exchanging client->client tokens. I'm wondering if an "exchange-from" permission needs to exist? Would we ever have the case where a client is allowed to "exchange-to", but not "exchange-from"? I'm thinking this is just overboard and would rarely be used. Bill