diff --git a/docs/CONFIGURE_TOKEN_EXCHANGE.md b/docs/CONFIGURE_TOKEN_EXCHANGE.md new file mode 100644 index 0000000..daed1d1 --- /dev/null +++ b/docs/CONFIGURE_TOKEN_EXCHANGE.md @@ -0,0 +1,40 @@ +# Configure token-exchange in Keycloak + +There are a few different types of token-exchange available in Keycloak. +The type needed for exchanging an external Apple token for a Keycloak token is **external token to keycloak token**. + +## Dependencies + +In order for token-exchange to work you need to enable `token-exchange` and `admin-fine-grained-authz` preview features in Keycloak (see this [Dockerfile](docs/README_docker_installation.md) or [here](https://www.keycloak.org/securing-apps/token-exchange)). + +## Grant permissions to Apple identity provider + +After enabling the features from above you need to grant the Apple identity provider the permission to exchange tokens. + +### 1. Create a client with default settings (optional if you already have a client you want to use) + +create new client + +### 2. Configure permissions and policies + +1. Enable permissions on your client +enable permissions for client + +2. Create a token-exchange permission on your client +create token-exchange permission for client + +3. Hit save and click into the **Policies** field to create a new policy. + +4. Create a policy for your client +create policy for client + +5. Navigate to the Apple Identity Provider and enable permissions +enable permissions on Apple IDP + +6. Create a token-exchange permission on the Apple Identity Provider +create token-exchange permission on Apple IDP + +--- + +**References** +- https://www.keycloak.org/securing-apps/token-exchange