Token-exchange + offline

220 views

Skip to first unread message

Marco Lettere

unread,

Apr 2, 2024, 12:13:14 PM4/2/24

to Keycloak User

Dear all,

up to 19.0.2 I had a call that performed a token-exchange in order to exchange an access_token with a pair access_token + refresh_token with scope offline_access.

The call is as per [1].

This doesn't seem to work any longer in 24.0.2. I get back a pair access_token + refresh_token which are not set to be offline_access scoped. Check the two attached images.

Did something change in this process? Is it documented somewhere?

Thank you.

Regards,

Marco.

[1]

curl --location 'https://..../protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'scope=offline_access' \
--data-urlencode 'subject_token=e....6g' \
--data-urlencode 'client_id=d4science-example-wp' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token'

19.0.2.png

24.0.2.png

Marco Lettere

unread,

Apr 2, 2024, 12:57:27 PM4/2/24

to Keycloak User

Trying to answer myself ... looking at the code at [1] I've the feeling that now the subject_token already needs to be carrying offline_access scope.

My first tests seem to confirm this.

Is this the correct reason for the change in behaviour?

Marco.

Reply all

Reply to author

Forward

0 new messages