Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

I set up an identity provider for Zoho(as OpenID). I managed to link my user to Zoho account and can confirm it, also I'm able to log in to keyclock via Zoho. But it fails when I try to make internal to external token exchange.

Version

26.1.1

Regression

• The issue is a regression

Expected behavior

Be able to perform internal to external token exchange

Actual behavior

When I do a token-exchange request (exchange Keyclock's token to Zoho's) I get an error that no linked account is found. Following a link gives me We're sorry. Invalid request.

Request

curl --request POST \
  --url http://localhost:8080/realms/portfolio/protocol/openid-connect/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:token-exchange \
  --data 'client_id={{client_id}}' \
  --data 'client_secret={{client_secret}}' \
  --data requested_token_type=urn:ietf:params:oauth:token-type:access_token \
  --data requested_issuer=zoho \
  --data 'subject_token={{access_token}}'

Response

{
  "error_description": "identity provider is not linked, can only link to current user session",
  "account-link-url": "http://localhost:8080/realms/portfolio/broker/zoho/link?nonce=2c210291-9706-492e-ae76-886f4ef2165e&hash=CszIxxDO6l96mKGg4NP_65Hdw6s5NGhAJNOjq7WhbLw&client_id=portfolio",
  "error": "not_linked"
}

How to Reproduce?

Create identity broker for Zoho, link user to Zoho account, perform token-exchange (internal to external)

https://www.zoho.com/accounts/protocol/oauth/sign-in-using-zoho.html
https://api-console.zoho.com/

Anything else?

No response