Hello again, wanted to come up with the same question again, for me, this
behaviour looks like a bug, but I'm not sure
On Wed, Feb 14, 2018 at 10:14 PM Виталий Ищенко <betalb(a)gmail.com> wrote:
Hi
I've been experimenting with internal to internal token exchange [1] and
managed to exchange token without configured policy
My original token belongs to public client (token_owner_klient_id) and I'm
trying to exchange it with audience set
to a confidential client that allows only client credentials grant
(confidential_client).
If I execute request as provided in documentation access is denied, but if
I'll provide confidential_client+confidential_client_secret
exchange operation succeeds.
The only difference in tokens issued with and without policy is that with
policy azp claim is set correctly to token_owner_klient_id.
The question is -- is it correct behaviour from the perspective of token
exchange?
curl -v -X POST --user confidential_client:confidential_client_secret \
-d "client_id=token_owner_klient_id" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=${TOKEN}" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
-d "audience=confidential_client" \
http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...