Open
Description
This epic follows up on #31546 to collect tasks related to external to internal token exchange.
📌 References
- Discussion: GitHub Discussion #40144
- Design Document: External to Internal Token Exchange
✅ Core Tasks
- Introduce external-internal token exchange provider #40146
- More appropriate verification of external token #40132
- Consider creating
ExternalToInternalTokenExchangeTestfor external to internal token exchange v2 #40198 - External-internal token exchange independent from FGAP v1 #40855
- Improvements to how the IDP is identified from the external
subject_token#40832 - Checking if client is allowed to exchange given subject_token issued by the IDP #40911
- Make sure user is not created during external-internal token exchange #40895
- Avoid creating user session during external-internal token exchange #40896
- Issuing the internal token during external-internal token exchange #40897
- Doublecheck event details during external-internal token exchange #40900
🧩 Related Issues
These issues are related to external-internal token exchange. They should be triaged and evaluated to determine whether they are required for full support.
- External token (not issued by Keycloak) cannot be validated in token exchange flow in case user info check is disabled #33332
- For external-to-internal token exchange when using the userinfo endpoint, information from access or ID token can't be extracted #37988
- Allow for token-exchange with refresh-token of IDP #29313
- NPE when no subject_issuer is used for token exchange #34869
- External-to-internal token exchange doesn't work without user info #12546
- Exchanging Google ID Token for Keycloak Access Token results in Error with reason "subject_token_type invalid" #20042
- It should be possible to prevent user creation when using token exchange (external to internal) #12548
- External Token Exchange through UserInfo doesn't work with signed response #20185
- User attributes don't get copied when token exchange (external to internal) #16426
- External to Internal Token Exchange validation behavior with JWT subject_token_type does not work as described within the documentation #14922
- Can we avoid creation of user session when requested_token_type is access token? #36295
- Token Exchange Requires Additional Login After Upgrade to 26.1.0 #37725
- Cannot select idp.resource.${someId} to create token-exchange policy for Identity Provider #34682