You need to set permissions for the client in keycloak inorder to do the exchange. You can follow the instructions her: https://www.keycloak.org/docs/latest/securing_apps/index.html On 2/19/19, 9:29 AM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf of Andrew J. Alexander" <keycloak-user-bounces(a)lists.jboss.org on behalf of andrew.j.alexander(a)gmail.com&gt; wrote: [External Email] ________________________________ I am getting a returned value of "client not allowed to exchange" Feb 19 17:20:39 keycloak-0ea709bc8787a3a29 standalone.sh[1149]: #033[0m#033[33m17:20:39,754 WARN [org.keycloak.events] (default task-21) type=TOKEN_EXCHANGE_ERROR, realmId=master, clientId=client-id-here, userId=null, ipAddress=192.168.1.13, error=not_allowed, reason='client not allowed to exchange subject_issuer', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=facebookdev, client_auth_method=client-secret What's the problem here? Is it due to an issue with my client-secret (I am guessing this as I'm not currently passing in a value)? Is it due to some setting on the client itself? I've set Access Type to public, direct grants are enabled and the protocol is openid-connect Does anyone have any experience with this? I am attempting to do a token exchange _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user