I have token-exchange working with 7.0.0 so I can confirm it does work.
The hoops I jumped through are
* enabling the experimental features (token exchange is not enabled by
default). I enabled feature.token_exchange and
feature.admin_fine_grained_authz
* enabling token exchange for client (clicking through the policies and
other admin pages)
* adding the identity provider and linking the user to the identity
provider (with a bunch of API calls from my app)
...at this point I was able to do token exchange with proper OIDC external
providers (ie the social services). But I could not exchange with my
primary oauth partner, because their userinfo endpoint did not return the
expected fields, so the process failed with an "unauthorised" error.
To fix this I had to write a custom identity broker (based on the oauth
broker) and extend the function "extractIdentityFromProfile" so it properly
consumes the results from the userinfo endpoint - especially the userid
field.
After that token exchange is working fine.
I had a little extra work for the custom claims I add, but that was because
the cached user object did not have my custom attributes :(
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w:
www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
On Wed, 30 Oct 2019 at 15:12, Andrew B Goldberg <abgoldberg(a)gmail.com>
wrote:
I'm trying to set up token-exchange for an external token to
internal
token, and I ran into the same issue as below (using version 7.0.0) and
wondering if this is a known issue, or if it is supposed to be working. If
so, any particular setting or policy to look into changing to allow
attribute mappers to work?
It may also be the case that my access token doesn’t contain all the
claims being mapped, and usually the mappers apply to the id token. But it
doesn’t seem like token-exchange supports exchanging an external id token.
For context, my identity provider here is Microsoft azure oidc (not the
built-in social one, but a custom one added using all the standard
microsoftonline.com OAuth endpoints). And the main claim I’m looking for
is “groups” (which does show up when logging into this provider directly).
Thanks!
Andrew
---- older message:
Hello, We're using token exchange to enable logins for social media
providerusers, using their respective native apps. So the tokens are
obtained viaofficial SDKs/apps, then sent our backend to be exchanged for a
keycloaktoken, which is then used throughout. The problem is, attribute
importers don't seem to be running for tokensthat are exchanged with this
method. We have a mapper to export the user'sfacebook id ("Social Profile
JSON Field Path" set to "id") to custom userattribute, but it doesn't
seem
to be working. (except of course when Ilogin "properly" and not use the
token exchange process at all) Are there any settings that I'm missing?
Recommendations? (Keycloak 5.0. Same with 4.1) Thanks
Kemal
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user