Client Secret Key of Exchange Token Reques

[ioshumer]

In key of using 'openid-connect/token' resource of a realm Keycloak requires client_id/client_secret combination in a request's body. Here, in the method echange_token of the lib following code:

payload = self._add_secret_key(payload)

Method self._add_secret_key adds client_secret of a KeycloakOpenID object which is using as a starting client for token exchange instead of adding target's client secret.

Would it be better to append client_secret parameter to exchange_token method?

[ryshoooo]

Hi @ioshumer. Well, I'm not sure, to be honest, I haven't quite played around with confidential clients and their exchanges. I'd expect that you need to pass on both secrets, i.e. for both clients when you wish to make an exchange from one to another, which would then require an additional argument for the exchange token method. But I might be mistaken :)

It needs some experimentation from my side, but otherwise sounds like a reasonable request :)

[remicres]

I agree with @ioshumer client_secret: str is missing in the exchange_token() args.

For instance if the goal is to exchange the source_client token with a token for the target_client that can be refreshed by this last, the exchange has to be initiated from the target_client. In this case must be provided during the exchange:

• the target client_id
• the target client_secret
• the source client access token

e.g.

data = {
    "client_id": tgt_client_id,
    "client_secret": tgt_client_secret,
    "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
    "subject_token": src_access_token,
    "requested_token_type": "urn:ietf:params:oauth:token-type:refresh_token",
}
exchanged = requests.post(token_endpoint, data=data).json()