[keycloak-dev] External (SAML) Token to Internal Token Exchange

[Edwin Steiner]

Hi all

First, thanks to all Keycloak committers and contributors. We like Keycloak very much and have used it in many projects.

The documentation says that the "Token Exchange" [1] feature is in Technology Preview only and the "External Token to Internal Token Exchange" [2] feature for SAML identity providers is not supported but may be added.

In a customer project we have exactly the requirement for exchange a SAML v2 Assertion with a JWT. Because of that we are investigating in implementing this feature either as a project specific solution or as a contribution.

As there is no SPI for this requirement, I guess a fork is necessary for changing the method org.keycloak.protocol.oidc.endpoints.TokenEndpoint#tokenExchange, so that not only subject tokens of type "urn:ietf:params:oauth:token-type:jwt" are accepted.

Any hints or tips on this topic are very welcomed.

Best regards
Edwin

[1] file:///Users/esteiner/Documents/Github/Keycloak/keycloak-documentation/target/securing_apps/index.html#_token-exchange
[2] file:///Users/esteiner/Documents/Github/Keycloak/keycloak-documentation/target/securing_apps/index.html#external-token-to-internal-token-exchange

-- 
Edwin Steiner
Inventage AG | CH-8005 Zürich | www.inventage.com