Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Allow for token-exchange with refresh-token of IDP #29313

New issue
New issue
Open
enhancement
#29343
Open
Allow for token-exchange with refresh-token of IDP#29313
enhancement
#29343
Labels
area/token-exchangearea/token-exchange/federatedIssues related to federated token exchange (external-internal or internal-external)kind/enhancementCategorizes a PR related to an enhancementpriority/lowteam/core-clients
@antikalk

Description

@antikalk
antikalk
opened on May 6, 2024

Description

At the moment it is not possible to do an internal to external token-exchange with a refresh token issued by an IDP, when providing subject_token_type=urn:ietf:params:oauth:token-type:refresh_token. The error subject_token_type invalid is returned.

Discussion

No response

Motivation

I want to be able to exchange a refresh token of an IDP for a Keycloak token.

Details

Implementation Idea:

In the current implementation, where only an access_token is exchanged, the userinfo endpoint of the IDP is called with this token directly. In order to enable this for refresh_tokens an easy implementation could be to first try to use the refresh_token grant against the IDP to query an access_token that could then be used to call the userinfo endpoint.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/token-exchangearea/token-exchange/federatedIssues related to federated token exchange (external-internal or internal-external)kind/enhancementCategorizes a PR related to an enhancementpriority/lowteam/core-clients

    Type

    enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions