Dynamic Client registration with Token Exchange

1

Hi Members,

Our requirement is to enable users to create their own OIDC/OAuth2 clients with a definite scope.

We have a web application that was integrated with Keycloak with a client say “AppClient” with which users authenticate and get their OIDC Token, Access token.

We also have another client say “AppAdmin” of the type service account grant enabled (client credentials) with service account roles “Create client, Manage Client”.

Now we are trying to exchange the user’s access token from AppClient and getting a new access token for the “AppAdmin” Client but With this exchanged token I am not able to create/register a new client.
Getting error response as insufficient_scope.

Very much appreciate it if you can please advise on how to achieve our use case.

Thanks in advance.

Regards,
Narendra

2

Step 1: User Authentication to get an OIDC token and Access Token (ClientId: AppClient)

Request :
curl --location --request POST ‘http://localhost:8080/auth/realms/MyFirstRealm/protocol/openid-connect/token
–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘Cookie: AUTH_SESSION_ID_LEGACY=ecfa1c43-a80c-41c6-9cfa-fdc5d4ce4af7.vpn-100’
–data-urlencode ‘client_id=AppClient’
–data-urlencode ‘client_secret=f81a92f6-d5b0-4b06-ad28-6dd1d4698b10’
–data-urlencode ‘grant_type=password’
–data-urlencode ‘scope=MyFirstClientScope openid’
–data-urlencode ‘username=achalla’
–data-urlencode ‘password=admin’

Step-2 Exchange Access Token for a Different Client’s Access Token (ClientId: AppAdmin)

Request:
curl --location --request POST ‘http://localhost:8080/auth/realms/MyFirstRealm/protocol/openid-connect/token
–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘Cookie: AUTH_SESSION_ID_LEGACY=ecfa1c43-a80c-41c6-9cfa-fdc5d4ce4af7.vpn-100’
–data-urlencode ‘subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgO***********’
–data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:token-exchange’
–data-urlencode ‘client_id=AppClient’
–data-urlencode ‘client_secret=f81a92f6-d5b0-4b06-ad28-6dd1d4698b10’
–data-urlencode ‘audience=AppAdmin’
–data-urlencode ‘request_token_type=urn:ietf:params:oauth:token-type:access_token’

Dynamic Client Registration
3

Step-3 Use New Access Token for Client Registration

Request:

curl --location --request POST ‘http://localhost:8080/auth/realms/MyFirstRealm/clients-registrations/openid-connect
–header ‘Authorization: Bearer eyJhbcGciOiJSUzI1N*************’
–header ‘Content-Type: application/json’
–header ‘Cookie: AUTH_SESSION_ID_LEGACY=ecfa1c43-a80c-41c6-9cfa-fdc5d4ce4af7.vpn-100’
–data-raw ‘{
“client_name”: “MyClient”
}’

Response:

{
“error”: “insufficient_scope”,
“error_description”: “Forbidden”
}

4

Also, I tried the following two cases,

  1. Using the grant type = password on “ClienAdmin”, get an access token and tried to register a new client, getting an insufficient_scope error

  2. Using the grant type =client_credentials on “ClientAdmin”, Got an access token and registered a new client successfully.

I suspect, the client_credentials grant type only can fetch the entitlements from the service account roles and push them into the access token.
The access tokens generated with other grant types will not get those entitlements and so failing while creating/registering the new client.

5

Please suggest if there is any workaround for the above use case. So that an audit log can show us which user registered the new clients.

6

Also, Is there any way to restrict users to manage/delete the clients only they created?

7

References:
Token Exchange (7.1 Only)
Client Registration