Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

token-exchange

Describe the bug

I am upgrading from V14 to V20 .

logged in user - [email protected]
generate a token as a public client using client1 .
Try to run an exchange token call with client1 - returns proper token with

"aud": [
"account",
"client1"
]

When i try to run an exchange token with another client2 - it throws error
error=not_allowed, reason='client is not the token holder', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, client_auth_method=client-secret",
There is one observation that the public client token carries client1 entry as
"azp": "client1" (since the token was generated using client1)

i have the features enabled :

extraEnvVars:
  - name: KC_FEATURES
    value: admin-fine-grained-authz,token-exchange,scripts

This functionality was working perfectly fine in V14 but started throwing error with V20.

I came across this below documentation from keycloak which talks about
i) explicit permission setup for the target client(client2 i believe in our case ) (not doing this for V14) and
ii) sending extra params in the header for the exchange calls . (which we are already doing even in V14)
https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange
(tried following the steps for a client via admin console but couldn't get it to work)

This seems little difficult in my scenario since we are creating clients on the fly from application and doing the permission registration will be very difficult

Version

20.0.3

Expected behavior

should generate the exchange token

Actual behavior

Error

How to Reproduce?

enable the features and try to generate the exchange token with a different client not present in the bearer token for the request .

Anything else?

No response