I’m stuck on an “Invalid token” error when brokering Auth0 tokens through Keycloak. The issue shows up for both the client credentials and the password (ROPC / Direct-Access) grants, and I can’t see what I’m missing. Any pointers would be greatly appreciated!
| Component | Version / Build |
|---|---|
| Keycloak | 26.3.0 (Quarkus tar-ball, also tested with other versions) — started with KC_FEATURES=token-exchange,admin-fine-grained-authz |
| Auth0 tenant | EU – free tier |
| Flows tested | ① client_credentials → KC external token exchange ② password (ROPC) → KC external token exchange |
client_credentials path
- KC service-account token
POST /protocol/openid-connect/token
grant_type=client_credentials
client_id=broker-script
→ returns KC_SUBJECT_TOKEN (OK).
2. External exchange KC → Auth0
grant_type = urn:ietf:params:oauth:grant-type:token-exchange
subject_token_type = urn:ietf:params:oauth:token-type:access_token
subject_token = KC_SUBJECT_TOKEN
requested_issuer = auth0
audience = http://localhost:8080/realms/my-oauth-realm
→ fails:
{"error":"invalid_request","error_description":"Invalid token"}
password (ROPC) path
- Auth0 ROPC call
POST https://<tenant>.us.auth0.com/oauth/token
grant_type = password
client_id / secret = same M2M app
username / password = valid test user
audience = http://localhost:8080/realms/my-oauth-realm
scope = openid profile email
→ Auth0 returns AUTH0_ACCESS_TOKEN (OK).
2. Exchange that token inside KC
grant_type = urn:ietf:params:oauth:grant-type:token-exchange
subject_token_type = urn:ietf:params:oauth:token-type:access_token
subject_token = AUTH0_ACCESS_TOKEN
audience = account-console
→ same Invalid token error.