'Direct naked impersonation
I am having issues getting these steps to work, documented in Securing Applications and Services Guide. This thread in stackoverflow showed an option which did not work as well. Can some one point me to the steps needed to fix this to allow naked impersonation?
Realm/client/policy/user details in the attached picture. enter image description here
Query:
curl -k -X POST
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode “client_id=starting-client”
–data-urlencode “client_secret=.....”
–data-urlencode “grant_type=urn:ietf:params:oauth:grant-type:token-exchange”
–data-urlencode “requested_subject=target-user”
https://localhost:8543/auth/realms/target_realm/protocol/openid-connect/token
Response:
{“error”:“access_denied”,“error_description”:“Client not allowed to exchange”}
Server logs:
22:40:08,396 WARN [org.keycloak.events] (default task-149) type=TOKEN_EXCHANGE_ERROR, realmId=target_realm, clientId=starting-client, userId=null, ipAddress=172.17.0.1, error=not_allowed, reason=‘client not allowed to impersonate’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_subject=target-user, client_auth_method=client-secret
Solution 1:[1]
This is an issue with the documentation in Securing Applications and Services Guide. Instead of add client policy for scope "user-impersonated", policy must added for scope "impersonate". Once that change was done it started to work.
Solution 2:[2]
Please use the below request format, and it should work. Tested and verified.
curl --location --request POST 'https://api.kong.stg.vrpintegration.dev/requestJWT/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret=bddf3a83-f4ec-45f6-afa0-cf9c94cb5518' \
--data-urlencode 'subject_token=xxxxxx' \
--data-urlencode 'audience=CLIENT_ID' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token'
Solution 3:[3]
Make sure you checked the user exist, because if it doesn't exist it will return "Client cannot impersonate".
Also, there is some contraction on the doc.
Reading it from redhat keycloak it is using impersonate instead of user-impersonate in user permission while for keycloak official doc it added user-impersonate, I used impersonate and added my starting-client. It works for me.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Jitendra Chintamadaka |
| Solution 2 | Manimaran Samuthirapandi |
| Solution 3 | cYee |