How to solve - Keycloak - Client not allowed to exchange

Question

I tried to implement Keycloak direct naked impersonation from documentation, but in the end I got the error:

"error": "access_denied",
"error_description": "Client not allowed to exchange"

This is the Postman setup, with the admin-cli, clientId and with the user, justin, that I want to get the token for, that exists in the Users section.

The admin-cli secret that I used in Postman:

I followed all the steps that are in the Keycloak Direct Naked Impersonation documentation.

1. Toggle Users Permissions Enabled to On.

2. Define a policy for this permission.

3. Add the client policy, "client-impersonators" in my case, to the users' impersonation permission

4. This is the request setup that Keycloak recommads to have this direct naked impersonation working. You saw this in my above Postman setup.

curl -X POST \
    -d "client_id=starting-client" \
    -d "client_secret=the client secret" \
    --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
    -d "requested_subject=wburke" \
    http://localhost:8080/realms/myrealm/protocol/openid-connect/token

Inside Docker I have the setup for token_exchange=enabled and admin_fine_grained_authz=enabled

- name: "KEYCLOAK_EXTRA_ARGS"
  value: "-Dkeycloak.profile.feature.admin=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled"

I searched days after days about this topic and I tested all the available options that are on internet right now, about this subject, but without any success.

Please anyone if this worked for you, be nice an share how you solved. Or at least please give some ideas, maybe I missed something.

New Policy created for user-impersonate, where I added the user Justin

Then inside the Permissions I added this Policy

Answer 1

The problem is that the documentation contains an image that is wrong, namely:

It should have been a Client Policy with the client admin-cli instead of the user admin.

For instance:

So, you need 2 policies/permissions:

1. impersonate (i.e., Policies that decide if administrator can impersonate other users), where you create a Client Policy and pass the client "admin-cli" (in your case);
2. user-impersonated (i.e., Policies that decide which users can be impersonated. These policies are applied to the user being impersonated), where you create a User Policy and pass the user "justin" (in your case).

---

Step-by-Step : KC 20.0.3 new UI

(Side note you should use other realm and client instead of the master and admin-cli at least in a production environment)

Enable the secret in the admin-cli:

• go to master > clients > admin-cli
• set Client authentication to ON

Create the two Policies: 1 Client Policy and 1 User Policy

• go to master > clients > master-realm
• click on the Authorization tab
• click on the Policies sub-tab

• click on Create policy, and then Client
• name it something (e.g., Client-impersonator)
• add admin-cli to the Client field and click Save

Repeat again the aforementioned steps, but this time create a User Policy for the user that will be impersonated (i.e., justin in your case)

Add the Policies to the corresponded scopes/permissions:

• go to Users
• go to the tab Permissions
• set Permissions enabled to ON
• click on impersonate
• select the policy corresponded to the client admin-cli (e.g., policy named Client-impersonator)
• click on Save

• go again to Users
• go to the tab Permissions
• this time select user-impersonated
• and select the policy for the impersonated user (i.e., justin)

Perform the request:

curl -X POST \
    -d "client_id=admin-cli" \
    -d "client_secret=8AEx99Ob4Hc8oricSGnii6x4Rs57g4ny" \
    --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
    -d "requested_subject=justin" \
    http://0.0.0.0:8080/realms/master/protocol/openid-connect/token