Add additional token-exchange example

thomasdarimont · May 4, 2024 · 13f7998 · 13f7998
1 parent 04a7adb
commit 13f7998
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/keycloak/http-tests/token_exchange.http b/keycloak/http-tests/token_exchange.http
@@ -16,13 +16,26 @@ client_id={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP}}&client_secret={{CONFIDENTIAL_C
 POST {{ISSUER}}/protocol/openid-connect/token
 Content-Type: application/x-www-form-urlencoded
 
-grant_type=urn:ietf:params:oauth:grant-type:token-exchange&client_id={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP}}&client_secret={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP_SECRET}}&subject_token={{KC_ACCESS_TOKEN}}&audience={{CONFIDENTIAL_CLIENT_SERVICE}}-xxxx&requested_token_type=urn:ietf:params:oauth:token-type:access_token
+grant_type=urn:ietf:params:oauth:grant-type:token-exchange&client_id={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP}}&client_secret={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP_SECRET}}&subject_token={{KC_ACCESS_TOKEN}}&audience={{CONFIDENTIAL_CLIENT_SERVICE}}&requested_token_type=urn:ietf:params:oauth:token-type:access_token
 
 > {%
     client.global.set("XCHD_ACCESS_TOKEN", response.body.access_token);
     client.global.set("XCHD_REFRESH_TOKEN", response.body.refresh_token);
 %}
 
+### Perform (impersonation) token exchange with user switch
+# ensure token-exchange permission is configured for target client (acme-client-service-app) -> we must explicitly allow the source-client to use token-exchange
+# currently Keycloak generates an access token AND refresh token by default. To only request an access token use requested_token_type=urn:ietf:params:oauth:token-type:access_token
+# An ID token also generated by default (since the openid scope is included explicitly)
+POST {{ISSUER}}/protocol/openid-connect/token
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=urn:ietf:params:oauth:grant-type:token-exchange&client_id={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP}}&client_secret={{CONFIDENTIAL_CLIENT_CLASSIC_WEB_APP_SECRET}}&subject_token={{KC_ACCESS_TOKEN}}&requested_subject=a27f947d-2be4-4532-bd5b-af574f2f6449&requested_token_type=urn:ietf:params:oauth:token-type:access_token
+
+> {%
+    client.global.set("XCHD_ACCESS_TOKEN", response.body.access_token);
+    client.global.set("XCHD_REFRESH_TOKEN", response.body.refresh_token);
+%}
 
 
 ### Perform custom token exchange with API Key: Translate an API key with into an access-token with an API-Gateway