[keycloak-user] Token exchange cross realm

Hi Keycloak masters I've done the token exchange in the same realm, here is a link with my scenario https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhja... I'm trying to do the same cross realm following this documentation https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to... Here is a link to my draft https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhja... However i don't know which client credentials put in the query. my app only knows it's own credentials (*app1_clientID* and *app1_clientSecret*) and wants to get an access token on the Realm2 (R2) on the clientID " *secured_R2*" The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1 The alias of the broker is "*R2_for_R1_users*" curl -X POST \ -d "client_id=*app1_clientID*" \ -d "client_secret=*app1_clientSecret*" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ -d "subject_token="*my_token_obtained_using_app1_clientID*" \ -d "subject_issuer=*R2_for_R1_users*" \ --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \ -d "audience=*secured_R2*" \ http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token I got an invalid credentials, which makes sense because the IDP2 can't verify the credentials of the App1 linked to the realm1 (IDP1) I know i missed something. If someone could give me a hint Once i understand, i'm willing to propose an update on the documentation Thanks for any help Amaury