Skip to content

Latest commit

 

History

History
35 lines (21 loc) · 1.36 KB

keycloak.md

File metadata and controls

35 lines (21 loc) · 1.36 KB
Raw

Keycloak configuration

1. Create new client "token-exchange"

Create client

2. Grant service account role "manage-users" to "token-exchange" client

Grant role

3. Create client scope mapper "Audience" for "token-exchange" client

This is only needed because Keycloak doesn't support passing a specific audience for the requested token exchange: keycloak/keycloak#17668

Create scope step 1 Create scope step 2 Create scope step 3

Important: Make sure there is a mapper that writes the username property into the sub claim!

4. Create new positive client policy "token-exchange"

Create policy step 1 Create policy step 2

5. Grant permissions for token exchange on "portal" client and assign policy "token-exchange"

Grant token exchange permission step 1 Grant token exchange permission step 2

6. Grant permissions for impersonate on user permission tab and assign policy "token-exchange"

Grant impersonate permission step 1 Grant impersonate permission step 2