Enable Token Storage in the Identity Provider:
You need to enable the option ' Store Tokens '. This will store the tokens from the Identity Provider ( IDP ) for its lifecycle to be able to exchange in the future.
Configure Permissions for Token Storage for the Identity Provider :
- Click on the ' Permissions ' tab and enable permissions for this identity provider. Once enabled click on the ' token-exchange ' permission and edit it.
- Edit the token exchange permission and click the drop-down ' Client Policy ' and select the option ' Client '.
- Add a Client Policy for the client by clicking the ' Clients ' drop-down and selecting your admin client. Once you save these policies we need to go back to the Identity Provider permissions and assign this newly created policy to the ' token-exchange ' section.
- Once you save the policy from the above step we need to go back to the IDP token-exchange policies. To do that go to Identity Provider → Select Identity Provider → Permissions tab → Edit ' token-exchange '. Now in the drop-down search for the policy, we created earlier and assign it to this Identity Provider.
Now you should be able to use the token endpoint in IAM to exchange Internal tokens(Realm/Client) for External tokens(Identity provider, i.e. Authenticate)