[keycloak-user] Token exchange without configured policy
Виталий Ищенко
betalb at gmail.com
Fri Mar 23 07:08:01 EDT 2018
Hello again, wanted to come up with the same question again, for me, this
behaviour looks like a bug, but I'm not sure
On Wed, Feb 14, 2018 at 10:14 PM Виталий Ищенко <betalb at gmail.com> wrote:
> Hi
>
> I've been experimenting with internal to internal token exchange [1] and
> managed to exchange token without configured policy
>
> My original token belongs to public client (token_owner_klient_id) and I'm
> trying to exchange it with audience set
> to a confidential client that allows only client credentials grant
> (confidential_client).
>
> If I execute request as provided in documentation access is denied, but if
> I'll provide confidential_client+confidential_client_secret
> exchange operation succeeds.
>
> The only difference in tokens issued with and without policy is that with
> policy azp claim is set correctly to token_owner_klient_id.
>
> The question is -- is it correct behaviour from the perspective of token
> exchange?
>
> curl -v -X POST --user confidential_client:confidential_client_secret \
> -d "client_id=token_owner_klient_id" \
> --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> -d "subject_token=${TOKEN}" \
> --data-urlencode
> "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
> -d "audience=confidential_client" \
>
> http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange
>
More information about the keycloak-user
mailing list