2

I am trying to impersonate a user in Keycloak who has the role user (tony123) by using another user (superadmin).

Superadmin has the impersonation role under realm-management client assigned. enter image description here

I am also able to generate a token for superadmin in the source client(source-client)

curl --location --request POST 'http://localhost:8180/auth/realms/mytenant/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=superadmin' \
--data-urlencode 'password=c3VwZXJhZG1pbg==' \
--data-urlencode 'client_id=source-client' \
--data-urlencode 'client_secret=source-client-secret'

I have also setup internal token to internal token client token exchange by following the below steps.

  1. Run Keycloak with the command line args -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled
  2. Setup token exchange permission in the target client. Add a client based policy with the source-client as the client.
  3. Enabled permissions on Users tab enter image description here
  4. Setup admin-impersonating.permission.users permissions. Added a client based policy with source-client as the client.

With the above setup, I am able to generate a impersonate token using the below cURL command

curl --location --request POST 'http://localhost:8180/auth/realms/mytenant/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=source-client' \
--data-urlencode 'client_secret=source-client-secret' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=.....' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'audience=target-client' \
--data-urlencode 'requested_subject=<user id of tony123>'

Using the access_token I get from the above cURL command, I am now trying to access a resource on target-client which tony123 is able to access directly. When I do so, I am getting 403 forbidden on the call. I am not sure what I am missing here. Thanks in advance

chaitanya guruprasad
  • 641
  • 7
  • 18

0 Answers0