Hi!
I have webapp1 which has to authenticate against a legacy backend,and won't
be integrated with Keycloak for the foreseeable future.
So, upon successful authentication, i use the impersonate API to get an
access token for the current user.
Later on, the user will open webapp2 from webapp1. The user should not have
to perform a login in Webapp2. Webapp2 uses the Keycloak Javascript
adapter. I use the access/refresh token i gained earlier to initialize the
adapter. It sends the refresh token to the token endpoint, but gets a
statuscode 400 error "Unmatching clients".
Request:
grant_type=refresh_token
refresh_token=<encoded token>
client_id=webapp2
These are the relevant fields from the token:
aud: "webapp2"
azp: "impersonator"
So i guess the problem is, that azp does not match client_id. In order to
get a token for the correct client, i use the token exchange endpoint and
the access token i got via the impersonation API
map.add("client_id", impersonator)
map.add("client_secret", <impersonator_secret>)
map.add("grant_type",
"urn:ietf:params:oauth:grant-type:token-exchange")
map.add("subject_token",<access token>)
map.add("audience", "webapp2")
That gives me a new token, but for the same client. At this point i'm
stumped and pretty sure i misunderstood something basic. Can anybody give
me a pointer in the right direction?
Cheers,
Till
Show replies by date