Reputation: 157
Keycloak Cross Realm Token Exchange
I am new to keycloak, and I was struggling with how to initiate a token exchange request.
I have an OpenID client A configured in Realm A. My requirement is to exchange the token I received from client A, to get the token from client B configured in Realm B.
I was trying out the examples for external to internal token exchange. And I had configured client A as an oidc in Realm B and executing the below cURL:
curl -L -X POST ‘http://localhost:8000/auth/realms/realmB/protocol/openid-connect/token’
-H ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘client_id=clientA’
–data-urlencode ‘client_secret=clientASecret’
–data-urlencode ‘subject_token=clientAToken’
–data-urlencode ‘subject_issuer=clientA-oidc’
–data-urlencode ‘audience=clientB’
–data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:token-exchange’
Thanks In advance
Upvotes: 4
Views: 1222
Answers (1)
Reputation: 157
This method worked for me -
Consider two realms - realm A and realm B.
Step 1: Enable Token Exchange Feature
In the keycloak.conf file, add the following line:
features=token-exchange,admin-fine-grained-authz
This will enable the Token Exchange tab in the admin console.
Step 2: Configure Identity Provider in Target Realm
The target realm will be realm A (realmA).
The source realm will be realm B (realmB).
- In realm A, create an Identity Provider:
Configure > Identity Providers > Add provider > Keycloak OpenID Connect.
- Set a suitable alias (e.g., realm-b-idp). Note this alias as it will be required for the Token Exchange API.
- Enable Use Discovery Endpoint.
- Add the discovery endpoint of realm B, e.g :
https:///realms/realmB/.well-known/openid-configuration.
- If valid, the details of realm B (auth URL, token URL, etc.) will be fetched.
Step 3: Create Clients in Both Realms
- In Realm B (realmB): Create a confidential client (realm-b-client).
- Add the client ID and client secret to the Identity Provider in realm A so that it trusts realm B.
- In Realm A (realmA): Create a confidential client (realm-a-client) for token exchange.
Step 4: Configure Token Exchange Permissions
Go to the Permissions tab in realm A.
Enable permissions and Token Exchange (this option appears only if the token-exchange feature is enabled in Keycloak).
Edit the Token Exchange Scope.
Under Policies, create a Client Policy:
Choose Clients > Provide a suitable name > Add realm A's client (realm-a-client) in the Clients section.
Step 5: Perform Token Exchange
Use the following curl command to exchange a token:
curl -L 'https://<keycloakhost>/realms/realmA/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
-d 'subject_token=<token generated from realm-b-client>' \
-d 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
-d 'client_id=realm-a-client' \
-d 'client_secret=<realm-a-client-secret>' \
-d 'subject_issuer=realm-b-idp' \
-d 'audience=realm-a-client' \
-d 'scope=openid profile roles'
Note: Keycloak version i have used is v25
Upvotes: 0
Related Questions
- Keycloak service to service
- keycloak realmresourceprovider corse
- Keycloak: How to log in to another Keycloak instance's realm without redirecting?
- How to use client to post the realm role in Keycloak?
- Keycloak API :- Identify Users Realm for login
- Keycloak - Manage realm with user from different realm
- Setup one keycloak realm as Idp for other keycloak realm
- Keycloak token exchange across realms
- How to import client authorization settings into Keycloak REALM through REST?
- Keycloak user authorization openid-protocol Rest API