Impersonation mints token for wrong client

46 views

Skip to first unread message

Adrian-Philipp Leuenberger

unread,

Jun 10, 2020, 4:23:23 AM6/10/20

to Keycloak User

Hi there,

I'm trying to issue an access token through impersonation by using a trust client and issuing the token for a public client. I've set up the token exchange permissions and the request works. However, my problem is that the issued token seems to contain the wrong client in AZP.

The following is my request:

curl -v -X POST \

-d "client_id=impersonator-client" \

-d "client_secret=<secret omitted>" \

--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \

-d "audience=target-client" \

--data-urlencode "requested_subject=john.doe" \

http://localhost:8080/auth/realms/swarm/protocol/openid-connect/token

Basically I want to get an access token for user "john.doe" by impersonating the user with the "impersonator-client". The issued token should be minted for "target-client", however, AZP still contains "impersonator-client".

The reason why I'm doing this is because it should be possible to log in using an external authentication workflow, that in the end provides an access token that can then be verified on my backend server, which uses the trusted client for impersonation.

According to the docs (https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange) the audience should define the target client for which the token is supposed to be minted.

Regarding permissions:

I've set up the "admin-impersonating.permission.users" permission with a client policy that references the "impersonator-client". The "target-client" itself is configured with a permission "token-exchange.permission.client.e236d39c-9b9c-4815-b734-90364fea4e91" that includes a client policy references the "impersonator-client". Did I omit something there? The thing here is that the docs seem to be wrong. The docs use "user-impersonated.permission.users" instead of "admin-impersonating.permission.users". When I tried it like that, the request was even denied.

Is this a bug in Keycloak or did I do something wrong?

Thanks in advance!

Reply all

Reply to author

Forward

0 new messages