0

I've been trying to use the Keycloak Impersonation API (semi-recent addition) to get an access token for another user. I have created a semi-successful CURL request based on the docs and another StackOverflow question. The CURL request (below) returns a 501 Not Implemented and I am trying to figure this out. If it would be another error I would assume I am doing something incorrectly, but this appears to be at least partially correct.

curl --verbose -X POST "http://localhost:8081/auth/realms/master/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
 -d "client_id=admin-cli" \
 -d "requested_subject={TARGET_USER_ID}" \
 -d "subject_token={USER_MANAGER_TOKEN}"

My workflow so far has been to get the Keycloak master realm "admin" user's access token (successful) and use that in the impersonation request, along with the target user's Keycloak ID. Am I doing something wrong or missing a step?

I haven't changed any Keycloak permissions, is this required?

From my understanding and the documentation, impersonation is currently supported and enabled by default in Keycloak v5 - Sever Installation. However, another article (Keycloak v5 - Token Exchange) seems to indicate that the feature is disabled by default; could this be why I am getting the 501 Not Implemented?

EDIT: @qdivision mentioned that the Token Exchange needs to be enabled for this to work. However, we are using the jboss/keycloak Docker image and I am wondering where I should add the profile.properties file to enable this feature?

Kendall
  • 1,992
  • 7
  • 28
  • 46

1 Answers1

9

Impersonation is enabled by default, Token Exchange is not.

To enable start the server with -Dkeycloak.profile=preview or -Dkeycloak.profile.feature.token_exchange=enabled as mentioned in the docs

https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

qdivision
  • 401
  • 2
  • 9
  • Ah, thank you for clarifying that. Will this be the cause of the `501 Not Implemented` error? Also, do you know how to start the server with these commands when using the `jboss/keycloak` Docker image? – Kendall Aug 14 '19 at 15:03
  • Yes, it will result in 501. I use `docker-compose` and set environment variables. For direct docker run try something like `docker run -it --env JAVA_OPTS="-Dkeycloak.profile=preview" jboss/keycloak` – qdivision Aug 14 '19 at 15:10
  • From reading the documentation I see I can either start the server with a profile flag or add a `profile.properties` file (my preference). Just curious if you know where this would get added since we are using the Docker image. – Kendall Aug 14 '19 at 15:13
  • I updated my previous comment. Maybe that will work for you. I've not used profile.properties. Sorry. – qdivision Aug 14 '19 at 15:15
  • No problem, we're using Docker Compose to run the Docker container so I'm not sure where I could specify those commands. Thanks for pointing me in the right direction though! – Kendall Aug 14 '19 at 15:44