keycloak keycloak-rest-api token-exchange

Keycloak Cross Realm Token Exchange

I am new to keycloak, and I was struggling with how to initiate a token exchange request.

I have an OpenID client A configured in Realm A. My requirement is to exchange the token I received from client A, to get the token from client B configured in Realm B.

I was trying out the examples for external to internal token exchange. And I had configured client A as an oidc in Realm B and executing the below cURL:

curl -L -X POST ‘http://localhost:8000/auth/realms/realmB/protocol/openid-connect/token’
-H ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘client_id=clientA’
–data-urlencode ‘client_secret=clientASecret’
–data-urlencode ‘subject_token=clientAToken’
–data-urlencode ‘subject_issuer=clientA-oidc’
–data-urlencode ‘audience=clientB’
–data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:token-exchange’

Thanks In advance

Solution

This method worked for me -

Consider two realms - realm A and realm B.

Step 1: Enable Token Exchange Feature

In the keycloak.conf file, add the following line:

features=token-exchange,admin-fine-grained-authz

This will enable the Token Exchange tab in the admin console.

Step 2: Configure Identity Provider in Target Realm

The target realm will be realm A (realmA).

The source realm will be realm B (realmB).

In realm A, create an Identity Provider:

Configure > Identity Providers > Add provider > Keycloak OpenID Connect.

Set a suitable alias (e.g., realm-b-idp). Note this alias as it will be required for the Token Exchange API.
Enable Use Discovery Endpoint.
Add the discovery endpoint of realm B, e.g :

https:///realms/realmB/.well-known/openid-configuration.

If valid, the details of realm B (auth URL, token URL, etc.) will be fetched.

Step 3: Create Clients in Both Realms

In Realm B (realmB): Create a confidential client (realm-b-client).
Add the client ID and client secret to the Identity Provider in realm A so that it trusts realm B.
In Realm A (realmA): Create a confidential client (realm-a-client) for token exchange.

Step 4: Configure Token Exchange Permissions

Go to the Permissions tab in realm A.
Enable permissions and Token Exchange (this option appears only if the token-exchange feature is enabled in Keycloak).
Edit the Token Exchange Scope.
Under Policies, create a Client Policy:

Choose Clients > Provide a suitable name > Add realm A's client (realm-a-client) in the Clients section.

Step 5: Perform Token Exchange

Use the following curl command to exchange a token:

curl -L 'https://<keycloakhost>/realms/realmA/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
-d 'subject_token=<token generated from realm-b-client>' \
-d 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
-d 'client_id=realm-a-client' \
-d 'client_secret=<realm-a-client-secret>' \
-d 'subject_issuer=realm-b-idp' \
-d 'audience=realm-a-client' \
-d 'scope=openid profile roles'

Note: Keycloak version i have used is v25