8000 Checking if client is allowed to exchange given subject_token issued by the IDP · Issue #40911 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Checking if client is allowed to exchange given subject_token issued by the IDP #40911
New issue
New issue
Open
Open
Checking if client is allowed to exchange given subject_token issued by the IDP#40911
Labels
area/token-exchange/federatedIssues related to federated token exchange (external-internal or internal-external)kind/taskteam/core-clients
@mposolda

Description

@mposolda
mposolda
opened on Jul 4, 2025

Description

This is to check if during external-internal token exchange, the internal client foo is allowed to exchange the token, which was issued by the IDP bar .

Current behaviour: In token-exchange:v1, the verification is done by FGAP. It requires FGAP:v1 to be enabled instead of supported FGAP:v2

Proposal: For token-exchange-external-internal:v2, we will not rely on FGAP similarly like we not rely on it for standard token exchange.

The details are mentioned in google doc https://docs.google.com/document/d/1hmUpMfvAwyRBvUhCD01IEGNjx1yIh9a8FpGCQlmrOno/edit?tab=t.0#heading=h.b1u2si558myi .

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/token-exchange/federatedIssues related to federated token exchange (external-internal or internal-external)kind/taskteam/core-clients

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0