How to solve - Keycloak - Client not allowed to exchange
I tried to implement Keycloak direct naked impersonation from documentation, but in the end I got the error:
"error": "access_denied",
"error_description": "Client not allowed to exchange"
This is the Postman setup, with the admin-cli, clientId and with the user, justin, that I want to get the token for, that exists in the Users section.
The admin-cli secret that I used in Postman:
I followed all the steps that are in the Keycloak Direct Naked Impersonation documentation.
Toggle Users Permissions Enabled to On.
Define a policy for this permission.
Add the client policy, "client-impersonators" in my case, to the users' impersonation permission
This is the request setup that Keycloak recommads to have this direct naked impersonation working. You saw this in my above Postman setup.
curl -X POST \
-d "client_id=starting-client" \
-d "client_secret=the client secret" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=wburke" \
http://localhost:8080/realms/myrealm/protocol/openid-connect/token
Inside Docker I have the setup for token_exchange=enabled and admin_fine_grained_authz=enabled
- name: "KEYCLOAK_EXTRA_ARGS"
value: "-Dkeycloak.profile.feature.admin=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled"
I searched days after days about this topic and I tested all the available options that are on internet right now, about this subject, but without any success.
Please anyone if this worked for you, be nice an share how you solved. Or at least please give some ideas, maybe I missed something.
New Policy created for user-impersonate, where I added the user Justin
Then inside the Permissions I added this Policy
The problem is that the documentation contains an image that is wrong, namely:
It should have been a Client Policy with the client admin-cli instead of the user admin.
For instance:
So, you need 2 policies/permissions:
impersonate(i.e., Policies that decide if administrator can impersonate other users), where you create aClient Policyand pass the client "admin-cli" (in your case);user-impersonated(i.e., Policies that decide which users can be impersonated. These policies are applied to the user being impersonated), where you create aUser Policyand pass the user "justin" (in your case).
Step-by-Step : KC 20.0.3 new UI
(Side note you should use other realm and client instead of the master and admin-cli at least in a production environment)
Enable the secret in the admin-cli:
- go to master > clients >
admin-cli - set
Client authenticationtoON
Create the two Policies: 1 Client Policy and 1 User Policy
- go to master > clients >
master-realm - click on the
Authorizationtab - click on the
Policiessub-tab
- click on
Create policy, and thenClient - name it something (e.g., Client-impersonator)
- add
admin-clito theClientfield and clickSave
Repeat again the aforementioned steps, but this time create a User Policy for the user that will be impersonated (i.e., justin in your case)
Add the Policies to the corresponded scopes/permissions:
- go to
Users - go to the tab
Permissions - set
Permissions enabledtoON - click on
impersonate - select the policy corresponded to the client
admin-cli(e.g., policy namedClient-impersonator) - click on
Save
- go again to
Users - go to the tab
Permissions - this time select
user-impersonated - and select the policy for the impersonated user (i.e., justin)
Perform the request:
curl -X POST \
-d "client_id=admin-cli" \
-d "client_secret=8AEx99Ob4Hc8oricSGnii6x4Rs57g4ny" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=justin" \
http://0.0.0.0:8080/realms/master/protocol/openid-connect/token
- Client secret not provided in request error - Keycloak, React, Typescript
- Implementing OIDC with Authorization Code Flow on API Gateway using Keycloak as SSO provider
- Spring Boot with Spring Security and Keycloak only providing Anonymous Authentication Token
- Use Keycloak Spring Adapter with Spring Boot 3
- Validating Username and Password in Keycloak
- SAML configuration broke after upgrade from 7.55.8 to 7.98.8
- Javascript Error when using Keycloak with Artemis for Management Console access
- Why is Keycloak resulting in "Cookie not found" error after IDP initiated login?
- Configure Keycloak to Encrypt SAML Assertions with AES-128-GCM Instead of AES-128-CBC
- Transforming LDAP group memberships to SAML Attributes in Keycloak
- retrieve google refresh token in keycloak
- Use Terraform to assign realm-management role to service account user in Keycloak
- How to restrict access to Keycloak admin console to a specific IP/IP range?
- Keycloak "invalid credentials" error after login when access through Load Balancer
- As in keycloak version 26.0.6. how to enable Allow Token Exchange (to update tokens)
- Removed create-realm in Keycloak from admin role - how do I reassign it?
- keycloak-angular 26 is unable to find keycloak-js
- How to save the keycloak data when running inside docker container?
- Retrieve an oidc access token from Nuxt 3 app
- Keycloak custom event listener not deploying
- Unable to start keycloak with preview or scripts features enabled
- View/configure access log of Keycloak HTTP server
- Keycloak: How to enable unmanagedAttributePolicy over REST API?
- Springboot Keycloak Admin add role or reset password error
- How Do I Use KeyCloak in Flutter
- Migrate keycloak 1.5.2 to 2.5.3 in .NET Core
- How to make a oauth2 authentication within a spring boot shell application
- The nonce is missing from the id_token in the response
- Keycloak Phase Two Organization Attribute in Token and Introspection
- Keycloak as a Broker saml client