Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3599

Standard Token Exchange: chain of exchanges eventually fails [GHI#42565]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      token-exchange

      Describe the bug

      When running a chain of token exchanges between clients, the exchange eventually fails with Invalid token.

      I will attach a reproducer that shows the issue in detail. In short, I am getting a token for client A (let's call it token A), exchanging token A for client B, then exchanging token B for client C etc.
      The third exchange fails with this response:

      HTTP/1.1 400 Bad Request
[headers redacted]

{
  "error": "invalid_request",
  "error_description": "Invalid token"
}

      Exchanging token A for client A (without any prior exchanges) works indefinitely. Exchanging token A for client B, then token B for client A, then the new token A for client A still fails. It seems after exchanging for any client other than the original one, you only get one more exchange, then the next fails.

      I looked at the tokens produced and the only difference I could seen between a token that can be exchanged and one that fails is that the sid claim is missing in the failing token.

      Is this behavior expected? Am I doing something wrong? I would be surprised if I was the first one to try this.

      Version

      Tested with rhbk/keycloak-rhel9:26.2-6 and keycloak:latest (26.3.3)

      Regression

      [ ] The issue is a regression

      Expected behavior

      Token can be exchanged as often as needed between clients as long as the audience fits.

      Actual behavior

      The third token exchange fails.

      How to Reproduce?

      I built a reproducer with docker-compose, terraform and the IntelliJ HTTP Client.

      You can find it at https://github.com/lbilger/keycloak-token-exchange-reproducer.

      Just run docker compose up to start Keycloak and create a realm, a user and some clients.

      Then run the requests in token-exchange.http in sequence. For the initial login, use admin/admin as credentials.

      If you are not using IntelliJ, they have a standalone CLI for the HTTP client. Or you can simply rewrite to use cURL.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: