0

I am using Keycloak 17.0 with

keycloak.profile.feature.admin_fine_grained_authz=enabled
keycloak.profile.feature.token_exchange=enabled

The issue: I need to provide refresh token for a client on behalf of already authenticated confidential service account client. I need something very close to internal to internal token exchange like it's described here. The only thing is that I need to make a token exchange call without subject_token parameter. Is it possible to have a client that will provide tokens for another internal clients without their authentication/tokens?

user3173510
  • 33
  • 5
  • 1
    ' Is it possible to have a client that will provide tokens for another internal clients without their authentication/tokens?' Which kind use-case do you need? Why not directly get the token from the internal client – dreamcrash Apr 20 '22 at 07:10
  • @dreamcrash sounds like something I am looking for. I thought that I can get the token from internal client only by password grant type. And this is opposite to my actual use case: the requirement is to provide refresh token for a client passwordlessly. Could you please tell how should I get the token from the internal client? – user3173510 Apr 20 '22 at 07:59
  • Have a look at client credential work flow, which type of application do you have? backend + frontend ? – dreamcrash Apr 20 '22 at 08:00
  • Yes, it's backend + frontend application. I am not sure where to credential workflow is, but I assume that this is Authentication Flow Overrides. It's empty for both Browser flow and Direct grant flow. – user3173510 Apr 20 '22 at 08:30
  • You just need to go to the client select "access Type" and select 'confidential' and enable the work flow 'Service Accounts Enabled' – dreamcrash Apr 20 '22 at 09:14
  • The client that provides token is already set up as service account and it is confidential. But the subject_token (from my initial post) is needed to be provided by the client that needs refresh token. The issue is that one of the requirements is that requesting client should be public, not confidential. Is it possible to provide refresh token from service account confidential client to a public one without subject_token? – user3173510 Apr 20 '22 at 09:25
  • I don't think so – dreamcrash Apr 20 '22 at 10:10

0 Answers0