Token exchange - Impersonation from one client to another. AZP mismatch.

[Jordan Lagache]

Hello everyone,

I have an issue with impersonation done through token-exchange with internal to internal tokens logic, documented here. This issue has already been reported here but unfortunately, there is no answers. I also found a stackoverflow of the same person here. I checked and I did not found any solution, I hope someone can guide me here.

Need & Context

User from client A(called the source client) needs to impersonate user from client B (target client).

Client A is kind of a "master application" that enables impersonation on other clients. Both Client A & B are public clients(frontends), and are on the same realm (as well as the users).

To be even more precise, my frontend application (client A) calls an API (confidential client Z) to perform the impersonation process on its behalf (in order to do it in back-channel, for security purpose). When confidential client Z receives the request (with the user's access token, the user to impersonate, and the application the future impersonated user belongs to), it sends the request to the keycloak API token endpoint with the following informations:

client_id: source-client(client A id)
grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange'
requested_subject: target-user-id,
subject_token: impersonator-access-token (issued for client A, with azp set to client A id),
audience: target-client(client B id) 

Issue

The impersonated user's access and refresh token have their azp claim set to the source client (client A), preventing the target client from refreshing tokens. This AZP claim should be target client(client B).

Is there something I did wrong or misunderstood?

Is there any way to issue an impersonated access & refresh token from one client to another client with the targeted client defined as the azp to allow the targeted client to refresh tokens (and also use the access token)?

Thanks,

Jordan