Token exchange "Client not allowed to exchange"

[deeeed]

I am able to complete the flow using web but need to integrate a native flow on IOS by using a separate native integration to login then exchange token to synchronize the account. I keep getting a "Client not allowed to exchange" error when querying :

<keycloak server url>/realms/<realm>/protocol/openid-connect/token
application/x-www-form-urlencoded

I am checking keycloak doc https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Do I need to create a separate client using client authentication enabled?

My issue with with 'client authentication' enabled is that I then need to use client_id + secret in my token exchange query which is sent from the user client (react native) --> I don't want to store any secrets on a client... I am probably misunderstanding something here also.

I do have the token_exchange feature enabled:

According to keycloak doc https://www.keycloak.org/docs/latest/securing_apps/index.html#how-token-exchange-works :

• A client can exchange an existing Keycloak token created for a specific client for a new token targeted to a different client
• A client can exchange an existing Keycloak token for an external token, i.e. a linked Facebook account
• A client can exchange an external token for a Keycloak token.
• A client can impersonate a user

What would be the flow if the user previously doesn't exist?

Unfortunately, the keycloak doc is not clear on the process to enable permission, they refer to: which doesn't seem to match latest keycloak client config.

Any ideas of what I could be missing?

[deeeed]

Replying to myself... I didn't enable admin-fine-grained-authz