Open ioshumer opened 1 year ago
Hi @ioshumer. Well, I'm not sure, to be honest, I haven't quite played around with confidential clients and their exchanges. I'd expect that you need to pass on both secrets, i.e. for both clients when you wish to make an exchange from one to another, which would then require an additional argument for the exchange token method. But I might be mistaken :)
It needs some experimentation from my side, but otherwise sounds like a reasonable request :)
I agree with @ioshumer client_secret: str
is missing in the exchange_token()
args.
For instance if the goal is to exchange the source_client token with a token for the target_client that can be refreshed by this last, the exchange has to be initiated from the target_client. In this case must be provided during the exchange:
e.g.
data = {
"client_id": tgt_client_id,
"client_secret": tgt_client_secret,
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"subject_token": src_access_token,
"requested_token_type": "urn:ietf:params:oauth:token-type:refresh_token",
}
exchanged = requests.post(token_endpoint, data=data).json()
In key of using 'openid-connect/token' resource of a realm Keycloak requires client_id/client_secret combination in a request's body. Here, in the method
echange_token
of the lib following code:Method
self._add_secret_key
adds client_secret of a KeycloakOpenID object which is using as a starting client for token exchange instead of adding target's client secret.Would it be better to append client_secret parameter to
exchange_token
method?