Unable to exchange token with APPLE's Id token

[asim46]

String requestBody = "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"  +
        "&client_id=" + clientId +
        "&subject_issuer=" +  provider+
        "&subject_token=" +  idToken +
        "&subject_token_type=urn:ietf:params:oauth:token-type:id_token"; 

Error:

Response:
"body":"400 Bad Request: \"{\"error\":\"invalid_token\",\"error_description\":\"token type not supported\"}\""}}
 [error] - ERROR 400

Token exchange is working with google's access token

It happened after upgrade to 24.0.4 from 22.0.4

[klausbetz]

Hi @asim46,

thx for creating this ticket.

What's the URL you're sending this request to? Does Keycloak log something that is related to this error?

[asim46]

Thank you so much for your fast reply !

Url is: /realms//protocol/openid-connect/token

There is nothing logged in keycloak in any log levels.

Sorry i wrote admin api earlier! I am sending POST request from my backend service to this url..

I have even recreated the keys and tried but no luck !

[klausbetz]

Ok. thx for the insights.

I'll give it a test and debug it if necessary.

[klausbetz]

I managed to find the issue. Its in the OIDCIdentityProvider.isTokenTypeSupported. However, it turns out that this is a bit more difficult to solve than I initially thought. I try to replace the base of AppleIdentityProvider from OIDCIdentityProvider to AbstractOAuth2IdentityProvider. This could help. We'll see

[klausbetz]

I just created a new validation method and therefore avoid calling the inherited validation method with its restrictions that were introduced in v24.0.3.

@asim46 you have two options:

1. Installing 1.12.0 of this extension
2. or downgrading to Keycloak v24.0.2