2

I am using token_exchange to impersonate as another user in the same realm. This endpoint works fine for access_token retrieval. However since the access token will expire after sometime, I would like to also have refresh token so that I can refresh it when access_token would expire.

curl --location --request POST 'https://localhost:8080/auth/realms/demo/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=democlient1' \
--data-urlencode 'requested_subject=3784f93a-fc2a-48c6-9641-3abb27724b06' \
--data-urlencode 'subject_token=xxxxx' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refersh_token'

When I set requested_token_type=urn:ietf:params:oauth:token-type:access_token it is working. I am getting the access_token and expires values.

As per https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc this documentation, I can get refresh_token, access_token and id_token.

Not sure why this is unsupported. Keycloak version is 11.0.3

Uma Ilango
  • 968
  • 4
  • 16
  • 31

2 Answers2

0

For the issue on the id_token, found that this was a case of incorrect documentation.

But the hack they suggest works, which is to set the scope to "openId" if you want an id_token and leave the requested token to access_token.

Subramaniam Ramasubramanian
  • 859
  • 1
  • 12
  • 31
0

Is democlient1 a public client? My requests for impersonation always need a client secret. The logs on the server help a lot if you activate DEBUG logging for

org.keycloak.protocol.oidc
org.keycloak.services.managers.AuthenticationManager
gschaden
  • 655
  • 7
  • 14