Description

Hi team,
I'm having trouble with the refresh token while performing naked impersonation with the audience. It seems like the refresh token isn't functioning as expected. Is this because refresh tokens aren't supposed to be used in the naked impersonation flow, or could there be a bug?

Naked impersonation curl request:
curl --location 'http://localhost:8080/realms/master/protocol/openid-connect/token' \ --data-urlencode 'client_id=my_client' \ --data-urlencode 'client_secret=my_client_secret' \ --data-urlencode 'requested_subject=mark' \ --data-urlencode 'audience=target_client' \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ --data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token'

Refresh request:
curl --location 'http://localhost:8080/realms/master/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id= my_client' \ --data-urlencode 'client_secret=my_client_secret' \ --data-urlencode 'grant_type=refresh_token' \ --data-urlencode 'refresh_token=mark_refresh_token'

Error I'm receiving:
{ "error": "invalid_grant", "error_description": "Session doesn't have required client" }

I have also tried to refresh it with the "audience" client but it failed with:
{ "error": "invalid_grant", "error_description": "Invalid refresh token. Token client and authorized client don't match" }

Both the of the client that I'm using are confidential.

Discussion

No response

Motivation

I want to allow my confidential client to perform naked impersonation and have the ability to refresh the token if necessary. However, I don't want to directly grant the "naked impersonation permission" to the second client (the one that I provide in audiance parameter). Instead, I prefer to handle this securely through my own client, of which I have full control.

Details

No response