Description

When performing an external-internal token exchange, Keycloak needs to figure out which IDP issued the external subject_token.

Current behavior

• If the subject_token is a JWT (with subject_token_type = urn:ietf:params:oauth:token-type:jwt), Keycloak reads the token and compares the iss claim with the issuers of the IDPs configured in the realm.
• If the token is not a JWT, the request must include a subject_issuer parameter to indicate which IDP issued the token. However, this parameter is not part of the standard OAuth 2.0 Token Exchange specification.

Possible improvements

• For JWT tokens: keep the current behavior — try to determine the IDP based on the iss claim in the token. This approach is aligned with the specification and does not require any non-standard parameters.
• For non-JWT tokens: replace the subject_issuer parameter with a better-named alternative like kc_subject_idp or kc_subject_issuer, following the naming convention used for other non-standard parameters in Keycloak like kc_idp_hint. The value of this parameter could be either the IDP alias or the result of ExchangeExternalToken.isIssuer().