[keycloak-user] Token exchange cross realm

triton oidc triton.oidc at gmail.com
Wed Mar 6 11:49:09 EST 2019


Hi Keycloak masters

I've done the token exchange in the same realm,
here is a link with my scenario
https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQIGFzIElEUAAdEDIgYXMgMgoKbm90ZSBvdmVyIFU6VGhlIHUAWQVuZCBhbGwgdGhlIGFwcCBhcmUgaW4ACgVzYW1lIHJlYWxtADALMTp0aGlzIEFwcCBpcyBPSURDIHByb3RlY3RlZApVLT4xOgCBMAVnb2VzIHRvAFAHIHdpdGggYQCBcAdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBSFndhbnQgdG8gZG8gYSBjYWxsIG8AgRsGYXBwMlxub24gYmVoYWxmIG9mAIFCBXVzZXIKMS0-SURQOnJlcXVlc3QAgmEQAH4FQVBQMSB0bwCBRwUyXG51c2luZwCCDwYAgxoFLACCNgZjbGllbnRJRACCJQUAgnYFY3JlZGVudGlhbHMKSURQLS0-MTpyZXR1cm4gYWNjZXNzAIFgCG9yAIJ6BQoxLT4yOmJhY2tlbmQAgTsGAGYGACIMAIMTCzI6T3B0aW9ubmFsCjIAgUEGZ2V0dXNlcmluZm8AKRMsXG4AgzcIaXMgc3VyZQCBfwwncyBpAIErBXR5AIFdCElEUCdzIHRydXN0AIE7BzIAgToIAF8LCjIAgU8MAIE0DAoxLS0-VQCBbQgKCg&s=rose

I'm trying to do the same cross realm following this documentation
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange

Here is a link to my draft
https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgQ3Jvc3MgcmVhbG0gRHJhZnQgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQABEFSURQAAgRMgASBzIAOBAAFAUyCgpub3RlIG92ZXIgVTpUaGUgdQB0BW5kIGFsbCB0aGUgYQBvBXJlIGluAAsFc2FtZQCBPQYAMQsxOnRoaXMgQXBwIGlzIE9JREMgcHJvdGVjdGVkClUtPjE6AIFMBWdvZXMgdG8AUQcgd2l0aCBJRABqBUFjY2VzcwCCKgdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBeFndhbnQgdG8gZG8gYSBjYWxsIG8AgScGYXBwMlxub24gYmVoYWxmIG9mAIFPBXVzZXIKMS0-SURQMjpyZXF1ZXN0AIMcEACAfwVBUFAxIHRvAIJFBVxudXNpbmcAghwGAINUBQpJRFAyLS0-MTpyZXR1cm4gYQCBOA1vcgCCdAYxLT4yOmJhY2tlbmQAgRgGAEMGACIMAIJ9CzI6T3B0aW9ubmFsCjIAgR0HZ2V0dXNlcmluZm8AKhMsXG4AgyMHIGlzIHN1cmUAgV0MJ3MgaWRlbnRpdHkAgTsISURQJ3MgdHJ1c3QAgTwIMgCBPAgAYAsKAIFQDQCBNgwKMS0tPlUAgW8ICgo&s=rose

However i don't know which client credentials put in the query.
my app only knows it's own credentials (*app1_clientID* and
*app1_clientSecret*)
and wants to get an access token on the Realm2 (R2) on the clientID "
*secured_R2*"
The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1
The alias of the broker is "*R2_for_R1_users*"

curl -X POST \
    -d "client_id=*app1_clientID*" \
    -d "client_secret=*app1_clientSecret*" \
    --data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
    -d "subject_token="*my_token_obtained_using_app1_clientID*" \
    -d "subject_issuer=*R2_for_R1_users*" \
    --data-urlencode
"subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
    -d "audience=*secured_R2*" \
    http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token

I got an invalid credentials, which makes sense because the IDP2 can't
verify the credentials of the App1 linked to the realm1 (IDP1)
I know i missed something.
If someone could give me a hint

Once i understand, i'm willing to propose an update on the documentation

Thanks for any help

Amaury


More information about the keycloak-user mailing list