Unable to reproduce keycloak direct naked impersonation

问题

After some efforts, I still unable to reproduce the feature of direct naked impersonation with OIDC.

refs: https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation

I got same errors.

curl -X POST http://localhost:8080/auth/realms/iot/protocol/openid-connect/token \
  -d "client_id=backend-service" \
  -d "client_secret=f0ead74d-c3eb-47c5-82fd-d8fccc5e5096" \
  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  -d "requested_subject=1c04c634-a64a-4905-b87f-e654ca01b889"
{"error":"access_denied","error_description":"Client not allowed to exchange"}

below is my development configuration.

$ cat docker-compose.yaml

version: '2.4'

volumes:
  postgres_data:
      driver: local

services:
  postgres:
      image: postgres:12-alpine
      volumes:
        - postgres_data:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak
        POSTGRES_USER: postgres
        POSTGRES_PASSWORD: postgres
      ports:
        - 5432:5432
  keycloak:
      image: jboss/keycloak:10.0.1
      environment:
        DB_VENDOR: POSTGRES
        DB_ADDR: postgres
        DB_DATABASE: keycloak
        DB_USER: postgres
        DB_SCHEMA: public
        DB_PASSWORD: postgres
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: admin
        #JDBC_PARAMS: "ssl=true"
      ports:
        - 8080:8080
      volumes:
        - /etc/localtime:/etc/localtime:ro
      command: -Dkeycloak.profile=preview
      depends_on:
        - postgres

realm-export.json https://gist.github.com/whisper-bye/20c86de26459efe641008ba5f448f3f1

回答1:

In your expert there is no Policy that permits a specific Client to use the Impersonation feature.

Example from my Realm:

{
        "id": "7588d6d2-82b6-42ef-9bd0-e9c01a2dc92b",
        "name": "admin-impersonating.permission.users",
        "description": "Client foo may impersonate any user",
        "type": "scope",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {
          "resources": "[\"Users\"]",
          "scopes": "[\"impersonate\"]",
          "applyPolicies": "[\"foo client-policy\"]"
        }
      }

You can configure this hat Manage/User on the left and then "Permissions" on the right. This menu item only appears when starting Keycloak with -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled!

Then click on "impersonate" and make sure "Apply Policy" has something set.

来源：https://stackoverflow.com/questions/62148383/unable-to-reproduce-keycloak-direct-naked-impersonation