Was exploring token exchange, so I set a role policy on token exchange, to only permit token exchange for a foo client if in possession of role bar:token-exchange.
Since bar is going to always do token exchange, i used a hardcoded role, set up as a mapper, in bar, so that i don’t have to set it all the time for every user, but the policy never triggers, because even though bar’s token has bar:token-exchange, that isn’t part of the evaluation when keycloak evaluates the policy for token exchange.
(I’m using this role as a proxy for “only bar tokens can be exchanged”. I know I could use a client policy, but a client policy means it could use any other client’s token for the exchange, but I only want to allow exchange using bar’s tokens.)
Should this be considered a bug?