[keycloak-user] Token exchange without configured policy
Виталий Ищенко
betalb at gmail.com
Wed Feb 14 14:14:52 EST 2018
Hi
I've been experimenting with internal to internal token exchange [1] and
managed to exchange token without configured policy
My original token belongs to public client (token_owner_klient_id) and I'm
trying to exchange it with audience set
to a confidential client that allows only client credentials grant
(confidential_client).
If I execute request as provided in documentation access is denied, but if
I'll provide confidential_client+confidential_client_secret
exchange operation succeeds.
The only difference in tokens issued with and without policy is that with
policy azp claim is set correctly to token_owner_klient_id.
The question is -- is it correct behaviour from the perspective of token
exchange?
curl -v -X POST --user confidential_client:confidential_client_secret \
-d "client_id=token_owner_klient_id" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=${TOKEN}" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
-d "audience=confidential_client" \
http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange
More information about the keycloak-user
mailing list