You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi team,
I'm having trouble with the refresh token while performing naked impersonation with the audience. It seems like the refresh token isn't functioning as expected. Is this because refresh tokens aren't supposed to be used in the naked impersonation flow, or could there be a bug?
I have also tried to refresh it with the "audience" client but it failed with: { "error": "invalid_grant", "error_description": "Invalid refresh token. Token client and authorized client don't match" }
Both the of the client that I'm using are confidential.
Discussion
No response
Motivation
I want to allow my confidential client to perform naked impersonation and have the ability to refresh the token if necessary. However, I don't want to directly grant the "naked impersonation permission" to the second client (the one that I provide in audiance parameter). Instead, I prefer to handle this securely through my own client, of which I have full control.
Details
No response
The text was updated successfully, but these errors were encountered:
Same thing here. It seems it is because the tokens' AZP is overridden by the calling client instead of the second. @frelibert implemented a fix to workaround this behavior but it seems it is not a priority for now in the keycloak backlog.
Description
Hi team,
I'm having trouble with the refresh token while performing naked impersonation with the audience. It seems like the refresh token isn't functioning as expected. Is this because refresh tokens aren't supposed to be used in the naked impersonation flow, or could there be a bug?
Naked impersonation curl request:
curl --location 'http://localhost:8080/realms/master/protocol/openid-connect/token' \ --data-urlencode 'client_id=my_client' \ --data-urlencode 'client_secret=my_client_secret' \ --data-urlencode 'requested_subject=mark' \ --data-urlencode 'audience=target_client' \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ --data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token'
Refresh request:
curl --location 'http://localhost:8080/realms/master/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id= my_client' \ --data-urlencode 'client_secret=my_client_secret' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'refresh_token=mark_refresh_token'
Error I'm receiving:
{ "error": "invalid_grant", "error_description": "Session doesn't have required client" }
I have also tried to refresh it with the "audience" client but it failed with:
{ "error": "invalid_grant", "error_description": "Invalid refresh token. Token client and authorized client don't match" }
Both the of the client that I'm using are confidential.
Discussion
No response
Motivation
I want to allow my confidential client to perform naked impersonation and have the ability to refresh the token if necessary. However, I don't want to directly grant the "naked impersonation permission" to the second client (the one that I provide in
audiance
parameter). Instead, I prefer to handle this securely through my own client, of which I have full control.Details
No response
The text was updated successfully, but these errors were encountered: