[keycloak-user] Token exchange without configured policy

[Виталий Ищенко]

Looks like I found a possible answer in the documentation. If I got this
correctly, naked exchanges are allowed for confidential client, but one
question is still open: why azp claim is different?

On Fri, Mar 23, 2018 at 2:08 PM Виталий Ищенко <betalb at gmail.com> wrote:

> Hello again, wanted to come up with the same question again, for me, this
> behaviour looks like a bug, but I'm not sure
>
> On Wed, Feb 14, 2018 at 10:14 PM Виталий Ищенко <betalb at gmail.com> wrote:
>
>> Hi
>>
>> I've been experimenting with internal to internal token exchange [1] and
>> managed to exchange token without configured policy
>>
>> My original token belongs to public client (token_owner_klient_id) and
>> I'm trying to exchange it with audience set
>> to a confidential client that allows only client credentials grant
>> (confidential_client).
>>
>> If I execute request as provided in documentation access is denied, but
>> if I'll provide confidential_client+confidential_client_secret
>> exchange operation succeeds.
>>
>> The only difference in tokens issued with and without policy is that with
>> policy azp claim is set correctly to token_owner_klient_id.
>>
>> The question is -- is it correct behaviour from the perspective of token
>> exchange?
>>
>> curl -v -X POST --user confidential_client:confidential_client_secret \
>>     -d "client_id=token_owner_klient_id" \
>>     --data-urlencode
>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>     -d "subject_token=${TOKEN}" \
>>     --data-urlencode
>> "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
>>     -d "audience=confidential_client" \
>>
>> http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
>>
>> [1]
>> http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange
>>
>