I'm working on a token-exchange request of keycloak wherein trying to get the access token of client2 while being authenticated with client1.
Have enabled token_exchange and admin_fine_grained_authz on keycloak instance.
Followed the documentation from https://www.keycloak.org/docs/latest/securing_apps/index.html#_internal-token-to-internal-token-exchange
When I hit the API for token exchange as
curl --location 'http://<URL>/realms/Genting/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=client2' \
--data-urlencode 'client_secret=<client2 secret>' \
--data-urlencode 'subject_token=<client1 token> \
--data-urlencode 'audience=client2' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
In response, I'm getting
{
"error": "access_denied",
"error_description": "Client is not within the token audience"
}
Is there some setting I missed here to received the token correctly ?
Your are exchanging client1 token for client2 , you need to change it to
--data-urlencode 'client_id=client1' \
--data-urlencode 'client_secret=<client1 secret>' \