Stack Overflow
Stack Overflow

Questions tagged [token-exchange]

OAuth 2.0 Token Exchange

This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.

17 questions
8
votes
1 answer

Establish SSO/set cookies with access or id token/token exchange

I'm allowing users logged in an external application to jump into our application with their access token through Keycloak's identity brokering and external to internal token exchange. Now I'd like to establish an SSO session in an embedded…
Torsten Römer
  • 3,834
  • 4
  • 40
  • 53
6
votes
1 answer

Keycloak token exchange across realms

We use Keycloak 12.02 for this test. The idea is that we have a lot of customers, that we all have in their own realms. We want to be able to impersonate a user in any non-master realm for an admin/support user in the master realm. The flow would be…
Morten Haraldsen
  • 1,013
  • 12
  • 24
3
votes
1 answer

How to solve - Keycloak - Client not allowed to exchange

I tried to implement Keycloak direct naked impersonation from documentation, but in the end I got the error: "error": "access_denied", "error_description": "Client not allowed to exchange" This is the Postman setup, with the admin-cli, clientId and…
dragon
  • 1,212
  • 13
  • 24
2
votes
1 answer

OAuth 2 - TokenExchange use cases

I have been reading about token exchange and each document talks about different use cases: API gateway use case (https://tyk.io/blog/res-oauth2-token-exchange-rfc8693/) : Client Application gets an access token for API gateway and API gateway…
Jack
  • 305
  • 1
  • 3
  • 13
2
votes
2 answers

keycloak impersonation via token-exchange does not work without roles info in the token

Our system uses a minimalistic token that does not include realm roles and client roles. Everything worked fine - after token validation we get all the information about user roles and groups from /userinfo. But recently we need to enable…
zo0M
  • 972
  • 11
  • 20
2
votes
1 answer

Token Exchange - Android + Google + Keycloak

Context: I'm developing a native Android App, authenticating it with Google SignIn and it is working. I also have a Keycloak server integrate with Google as an identity provider and it also working. I'm able to import my account from Google on my…
btafarelo
  • 601
  • 3
  • 12
2
votes
0 answers

Keycloak Cross Realm Token Exchange

I am new to keycloak, and I was struggling with how to initiate a token exchange request. I have an OpenID client A configured in Realm A. My requirement is to exchange the token I received from client A, to get the token from client B configured in…
Sachin Bose
  • 127
  • 8
2
votes
1 answer

Keycloak reauthenticate an Authenticated user with a different client

If I have a user that has authenticated with keycloak with public client C1 under realm R is there an endpoint I can hit in keycloak that will generate a new access token for a different public client C2 under the same realm R? [Update #1] I tried…
Shane Rowatt
  • 1,951
  • 3
  • 27
  • 44
1
vote
1 answer

NPE in Keycloak internal token-exchange

I'm trying to achieve an internal token exchange in Keycloak 17.0.1, however, the server returns an unknown error (NullPointerException). My scenario is: I have three microservices, A, B, and C. A calls B, which is an intermediate service that needs…
Eduardo Bortolatto Lopes
  • 11
  • 4
1
vote
1 answer

Shape of the "act" claim after token exchange in a system context

I am currently implementing an OAuth token exchange STS and am struggling a bit. The standard is defined in https://www.rfc-editor.org/rfc/rfc8693 My use case involves a chain of system-to-system calls, triggered by a user (principal) action. I want…
Stefan
  • 33
  • 5
0
votes
0 answers

Exchanging OAuth/OIDC Access Token

I have this use case and I'm wondering how to effectively use token-exchange protocol. My use case is this: App 1 authenticates with OAuth server (OIDC) and obtains ID token and Access Token. And it can use access token to call APIs (eg: userInfo…
Jack
  • 305
  • 1
  • 3
  • 13
0
votes
1 answer

Keycloak token exchange does not return refresh token

I have an application with regular REST api, and I'm usink Keycloak for the authentication. The frontend is a React application with its own Client ID (no secret because it's a public page), the backend is a Node application with another Client ID…
Belinde
  • 133
  • 8
0
votes
0 answers

How to set First broker login to Keycloak token exchanging client?

I have a Keycloak client that exchange Google access token to Keycloak token via http request to /auth/realms/REALM/protocol/openid-connect/token. This client linked to Google idp, but by default uses other authentication flow. When the token is…
Timur Khismatullin
  • 1
  • 1
0
votes
1 answer

keycloak "error_description": "Missing form parameter: grant_type" error

AM currently trying to do token exchange from google to Keycloak, Now am facing this error "error_description": "Missing form parameter: grant_type". postman body **** content type**** This is my configuration in postman. Keycloak setup
Narashimhaa
  • 25
  • 5
0
votes
0 answers

How to token-exchange between internal clients on behalf of already authenticated client in Keycloak

I am using Keycloak 17.0 with keycloak.profile.feature.admin_fine_grained_authz=enabled keycloak.profile.feature.token_exchange=enabled The issue: I need to provide refresh token for a client on behalf of already authenticated confidential service…
user3173510
  • 33
  • 5
1
2