[keycloak-user] Refreshing exchanged token
Paolo Tedesco
Paolo.Tedesco at cern.ch
Thu Nov 8 09:37:08 EST 2018
Hi all,
I have a problem refreshing an exchanged token, and I would need some help to understand if I'm doing something wrong.
I have two test confidential clients, client_1 and client_2, and client_1 is allowed to exchange tokens for client_2.
First, I get a token for client_1, then I use token exchange to get a token for client_2. The token that I have at this point looks like this (snipped):
session_state: 30b295b9-7278-4c9e-b5c4-0927e111a676
token_type: bearer
access_token (decoded claims) :
aud = client_2
clientId = client_1
refresh_token (decoded claims) :
aud = client_2
azp = client_1
So far, everything is fine, but the problem is when I try to refresh the token for client_2 I got from the previous call.
The call I'm making is
POST https://<server>/auth/realms/master/protocol/openid-connect/token
client_id = client_1
client_secret = <client secret for client_1>
grant_type = refresh_token
refresh_token = <the refresh_token string from the exchanged token>
What I would expect is to get a new token with aud = client_2, instead I get a new token with aud = client_1:
session_state: 30b295b9-7278-4c9e-b5c4-0927e111a676
token_type: bearer
access_token:
aud = client_1
clientId = client_1
refresh_token:
aud = client_1
azp = client_1
Is this correct? Should I just get a new token through token exchange in this case, instead of refreshing the existing one?
Thanks,
Paolo Tedesco
More information about the keycloak-user
mailing list