Keycloak v26 Issue - OIDC Token Exchange Error - ExtJWT

Hi all,

Is anyone else having this issue?

Ever since we upgraded to Keycloak v26, we get an error message where Standard Token Exchange is not possible unless the Keycloak client is using Client authentication. Because of this, our Ziti sessions would drop after the initial access token lifespan expired (which I had set to 15 minutes). To solve this, I have set my Access token lifespan 8 hours for the time being

After 15 minutes we would get these logs on Keycloak and Ziti Windows logs

Keycloak Logs
TOKEN_EXCHANGE_ERROR
reason Standard token exchange is not enabled for the requested client
auth_method token_exchange
grant_type urn:ietf:params:oauth:grant-type:token-exchange
client_auth_method client-secret
error invalid_request

Ziti Logs
refresh_cb() OIDC token refresh failed: 400[{ "error": "invalid_request", "error_description": "Invalid token type, must be access token" }]

I think something changed with keycloak 26 Standard Token Exchange is now officially supported in Keycloak 26.2 - Keycloak

If I want to enable standard token exchange on the client I need to have Client Authentication configured, which is not an option in the ziti console as far as I can tell?

Again thank you all for your time and help!

I only use my keycloak instance in short bursts usually however I do have a keycloak 26 instance setup with defaults. I connected my tunneler and I'll let it sit for "a while" (over 30 minutes now) to see if it ends up losing a session. So far it's been connected and continues to work properly and I have no TOKEN_EXCHANGE_ERROR logs. My setup also uses an Access token.

Currently tokens are set to what I think are the defaults:

• ID token: 5 minutes (300s)
• Access token: 5 minutes (300s)
• Refresh token: 30 minutes (1800s)

Is it possible the client is going to sleep for longer than that refresh token duration and not able to obtain a new access token?

Can you grep your logs for "oidc.c" like i have here? One thing I noticed is the refresh window changes from "well before the token limit" to "sorta close to the limit". It seems possible that if that refresh fails, it might cause this issue. From my logs, notice how the

[2025-10-02T11:25:46.524Z]   DEBUG ziti-sdk:oidc.c:784 oidc_client_start() requesting authentication code from auth_url[https://keycloak.zrok.clint.de
[2025-10-02T11:25:46.781Z]    INFO ziti-sdk:oidc.c:416 request_token() requesting token path[https://keycloak.zrok.clint.demo.openziti.org:8446/realms
[2025-10-02T11:25:46.921Z]   DEBUG ziti-sdk:oidc.c:400 token_cb() 200 OK
[2025-10-02T11:25:46.921Z]   DEBUG ziti-sdk:oidc.c:955 oidc_client_set_tokens() using access_token={"exp":1759404645,"iat":1759404345,"auth_time":1759
[2025-10-02T11:25:46.922Z]   DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 300 seconds
[2025-10-02T11:30:46.923Z]   DEBUG ziti-sdk:oidc.c:1001 refresh_time_cb() refreshing OIDC token
[2025-10-02T11:30:47.093Z]    WARN ziti-sdk:oidc.c:980 refresh_cb() OIDC token refresh failed: 400[{ "error": "invalid_request", "error_description": 
[2025-10-02T11:51:58.795Z]   DEBUG ziti-sdk:oidc.c:1001 refresh_time_cb() refreshing OIDC token
[2025-10-02T11:51:58.961Z]   DEBUG ziti-sdk:oidc.c:974 refresh_cb() token refresh success
[2025-10-02T11:51:58.962Z]   DEBUG ziti-sdk:oidc.c:955 oidc_client_set_tokens() using access_token={"aud":["openziti"],"client_id":"openziti","exp":17
[2025-10-02T11:51:58.964Z]   DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 1799 seconds
[2025-10-02T11:30:46.923Z]   DEBUG ziti-sdk:oidc.c:1001 refresh_time_cb() refreshing OIDC token
[2025-10-02T11:30:47.093Z]    WARN ziti-sdk:oidc.c:980 refresh_cb() OIDC token refresh failed: 400[{ "error": "invalid_request", "error_description": 
[2025-10-02T11:51:58.795Z]   DEBUG ziti-sdk:oidc.c:1001 refresh_time_cb() refreshing OIDC token
[2025-10-02T11:51:58.961Z]   DEBUG ziti-sdk:oidc.c:974 refresh_cb() token refresh success
[2025-10-02T11:51:58.962Z]   DEBUG ziti-sdk:oidc.c:955 oidc_client_set_tokens() using access_token={"aud":["openziti"],"client_id":"openziti","exp":17
[2025-10-02T11:51:58.964Z]   DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 1799 seconds

from my logs notice these lines:

[2025-10-02T11:25:46.922Z] DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 300 seconds
[2025-10-02T11:51:58.964Z] DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 1799 seconds
[2025-10-02T11:51:58.964Z] DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 1799 seconds

That 1799 seconds is (imo) dangerously close to the 30m refresh token window. It's so close it feels unintentional to me. I'm going to have @ekoby have a look at this to see if he agrees.

Hi,

Thanks for looking into this!

Here is what I get with the default refresh token settings. Also, I’m on keycloak 26.3.3, i’m not sure if the subversion is making a difference here.

[2025-10-02T18:28:08.354Z]   DEBUG ziti-sdk:oidc.c:784 oidc_client_start() requesting authentication code from auth_url[<redacted>]
[2025-10-02T18:28:08.819Z]    INFO ziti-sdk:oidc.c:416 request_token() requesting token path[<redacted>] auth[<redacted>]
[2025-10-02T18:28:08.908Z]   DEBUG ziti-sdk:oidc.c:400 token_cb() 200 OK
[2025-10-02T18:28:08.908Z]   DEBUG ziti-sdk:oidc.c:955 oidc_client_set_tokens() using access_token={"exp":1759429983,"iat":1759429683,<redacted>"}
[2025-10-02T18:28:08.908Z]   DEBUG ziti-sdk:oidc.c:966 oidc_client_set_tokens() scheduling token refresh in 300 seconds
[2025-10-02T18:33:08.914Z]   DEBUG ziti-sdk:oidc.c:1001 refresh_time_cb() refreshing OIDC token
[2025-10-02T18:33:09.333Z]    WARN ziti-sdk:oidc.c:980 refresh_cb() OIDC token refresh failed: 400[{ "error": "invalid_request", "error_description": "Invalid token type, must be access token" }]

Also, weirdly enough I can still access internal resources even though my token has expired. I am not sure if this is new behavior however in the past I would get locked out.

The Ziti Tunneller shows that I need to login again after the 300 seconds.

image377×453 58.9 KB

Are there plans to add client authentication to Ziti’s OIDC configuration?

(disclaimer: I am a Ziti noob and we should wait to let the experts confirm/deny this thought) but I believe the Ziti client will attempt token exchange with a refresh token rather than an access token. I think in theory the RFC does allow refresh_token as subject type but I’m not sure how common this is in practice. I believe I ran into something similar while working on a very simple custom IDP. If the IDP can’t be configured to allow refresh token as subject_token_type during token-exchange than you may need to disable that grant type at your IDP to prevent the Ziti client from trying it and instead fall back to standard refresh_token grant type. Again, not 100% of this, just speculating.

Per: Configuring and using token exchange - Keycloak

subject_token_type

REQUIRED. This parameter is the type of the token passed in the subject_token parameter. This must be urn:ietf:params:oauth:token-type:access_token when the standard token exchange is being used because Keycloak does not support other types for the standard token exchange.

I have had similar experiences. I'm trying to narrow down how and when it happens. Our internal chat tool is a self-hosted mattermost. I setup ext-jwt-auth to that identity using Auth0. I have my own test network where I have http-based resources that uses my own self-hosted keycloak 26.

The mattermost network is solid and doesn't end up having the same behavior you are noticing. It was connected all day. The keycloak instance seems to fail after five minutes for me too by the UI informing me that I need to auth, but the app itself is happy and I'm still actually connected to my http-based resource. The only thing that comes to mind is that the websocket/persistent connection mattermost has somehow makes a difference or the Auth0 tokens somehow are different. There's a lot to debug so it'll probably take a bit to get down to paydirt here. Also during the debugging I noticed that 300/1799 token refresh.

I'm going to keep looking into it as I can. If you can narrow anything down on your side that would be useful, maybe stand up a keycloak25 at least to rule out (or confirm) the upgrade causing any issue? My keycloak is also 26 now so it's possible that it's somehow keycloak related. We have made an update to obtain a new access token sooner than 1s before expiration. It could be that one second was just too close and causing issues too.

I'll keep coming back to this as I can, it certainly seems like some kind of issue to me.

@blup66 yes, if a refresh token is returned during the PKCE flow, that refresh token will be used to refresh an access token at the provided interval. If no refresh token is supplied ziti will force you to re-auth via the idp to get a new access token as that's all we can do.

I think it might be possible but on keycloak 26 I need client authentication to be able to choose to allow refresh token in standard token exchange.

Hello Hello

I have the exact same problem with Keycloak V26.4. From the version V26.xx ( i don’t know the exact version ) you have to enable the "standard exchange token," and this is only available if you enable client authentication. Unfortunately, with ziti-edge-tunnel, it is not possible to specify the client secret, so it does not work.
Is there a workaround, and would it be possible to add this feature?
without this it’s not possible to use the OIDC with Keycloak

image910×400 25.9 KB

2025-11-05 11:45:29,781 WARN [org.keycloak.events] (executor-thread-17) type="TOKEN_EXCHANGE_ERROR", realmId="realmtest", realmName="realmtest", clientId="openziti-client", userId="null", ipAddress="192.168.1.23", error="invalid_request", reason="Standard token exchange is not enabled for the requested client", auth_method="token_exchange", grant_type="urn:ietf:params:oauth:grant-type:token-exchange", client_auth_method="client-secret"

Hi @Opi, welcome to the community and to OpenZiti!

No, this is very unlikely to a feature we support as it would require a client secret to be deployed to each edge client and that's not a security issue but it'd be a pain to manage.

You should only enable the standard flow. I use Keycloak 26.3.4 and it works fine. I expect you have somehow misconfigured your external signer within openziti (which is easy enough to do).

Using a client id and secret it unlikely to be added to the edge clients.

Hi,

Would you mind sharing your keycloak and ziti setup because I am still having the same issue as Opi. The only workaround I found is to increase the Access token expiry from the realm default to something like 8hours.

Are you referring to the problem where the UI shows up as needing to be authorized or are you referring to needing to enable standard token exchange? You can see I only have standard (and direct) enabled

image734×388 18.5 KB

more below if relevant?

I can give you "all the steps". I have a pet script out on my personal github here

It's... It's a lot of bash to look at....

I would think you could just look at

• this script that uses kcadm to setup keycloak
• then maybe this block of ziti cli commands to make the signer?

Here's the json for my ext jwt signer:

{
  "name": "keycloak",
  "audience": "browzerBootstrapClient",
  "issuer": "https://keycloak.zrok.clint.demo.openziti.org:8446/realms/zitirealm",
  "clientId": "browzerBootstrapClient",
  "claimsProperty": "email",
  "enabled": true,
  "useExternalId": true,
  "kid": "",
  "externalAuthUrl": "https://keycloak.zrok.clint.demo.openziti.org:8446/realms/zitirealm",
  "scopes": [
    "email",
    "profile"
  ],
  "tags": {},
  "jwksEndpoint": "https://keycloak.zrok.clint.demo.openziti.org:8446/realms/zitirealm/protocol/openid-connect/certs",
  "targetToken": "ACCESS",
  "id": "7cBXRKi4QQAiSpEJJR1ysJ"
}

And a screen shot of that

image1113×981 77.6 KB

Hello, thank you very much for this information.

Unfortunately, it does not help me in my case.

I am using the ziti-client-tunnel with certificate authentication in the first phase and OIDC authentication in the second phase.

I do not understand how you enroll the client for oidc.... it's maybe the problem

Here is how I did it on my end:

1: Create new identity with certificate

./ziti pki create client \
--pki-root="./pki" \
--ca-name=$ca_name \
--client-name=$client_name \
--client-file=$client_name

2: Enroll client:

./ziti edge enroll -v \
--cert "./pki/$ca_name/certs/${client_name}.cert" \
--key "./pki/$ca_name/keys/${client_name}.key" \
--jwt "./pki/$ca_name/${client_name}.jwt" \
--out "./pki/$ca_name/keys/${client_name}.json"

With this, the tunnel is working

sudo ziti-edge-tunnel run -i /home/user/tunnel/client1.json

In the auth-policy, I only specified authentication with a certificate.

Now on the client, I enable CA primary and OIDC authentication as secondary

I saw in another post that you were going to download the JWT from the ZAC page - JWT SIGNER.

image1705×547 67.4 KB

And now i enroll the client1 with this ext JWT

sudo ziti-edge-tunnel enroll --jwt ext-ctrl.jwt -i client1-ext.json
(69960)[ 0.000] INFO ziti-sdk:utils.c:196 ziti_log_set_level() set log level: root=3/INFO
(69960)[ 0.000] INFO ziti-sdk:utils.c:165 ziti_log_init() Ziti C SDK version 1.8.5 @gca0d903gca0d903gca0d903gca0d903gca0d903gca0d903gca0d903gca0d903(HEAD) starting at (2025-11-07T13:32:34.377)
(69960)[ 0.000] INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SD@gca0d903 versio@gca0d903gca0d903 1.8.5 @gca0d903gca0d903(HEAD) starting enrollment at (2025-11-07T13:32:34.377)
(69960)[ 0.000] INFO ziti-sdk:ziti_ctrl.c:637 ziti_ctrl_init() ctrl[https://xxx.xxx.xx:443/\\\\\] controller initialized
(69960)[ 0.000] INFO ziti-sdk:ziti_ctrl.c:637 ziti_ctrl_init() ctrl[https://xxx.xxx.xx:443/\\\\\] controller initialized
(69960)[ 0.000] WARN ziti-sdk:ziti_ctrl.c:336 internal_version_cb() ctrl ziti context is disabled(operation canceled)

I run the tunnel: ( with the json given by CA enrollement )

sudo ziti-edge-tunnel run -i /home/user/tunnel/client1.json

And i run the ext

sudo ziti-edge-tunnel ext-jwt-login -i /home/user/tunnel/client1-ext.json -p keycloak

Here i have a error

{
"Success":false,
"Error":"ziti context not found",
"Code":500
}

Now i try to use the json generated with CA enrollement. It’s mutch better but the authentication failed ( AUTH INVALID)

sudo ziti-edge-tunnel ext-jwt-login -i /home/user/tunnel/client1.json -p keycloak | jq -r '.Data.url' | xargs xdg-open

Error:

image622×156 11 KB

(73902)[ 136.754] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1128 on_ziti_event() ztx[/home/user/tunnel/exo_client1.json//home/user/tunnel/client1.json] ext auth event received
(73902)[ 136.754] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:804 on_event() ztx[/home/user/tunnel/exo_client1.json] ext auth: login_with_ext_signer
(73902)[ 145.022] INFO ziti-sdk:oidc.c:416 request_token() requesting token path[https://sso.xxx.xx/realms/test/protocol/openid-connect/token\\\\\] auth[4b56173e-b147-4827-a1d1-e679797f2ba5.371f4524-9910-4adf-bed6-a4cadb6117ff.10b32b96-15af-4430-965a-0d8fdde7c980]
(73902)[ 145.111] WARN ziti-sdk:ziti_ctrl.c:815 verify_api_session() ctrl[https://sso.xxx.xx:443/edge/client/v1\\\\\] no API session
(73902)[ 145.111] WARN ziti-sdk:legacy_auth.c:183 login_cb() failed to login to ctrl[https://sso.xxx.xx/:443/edge/client/v1\\\\\] UNAUTHORIZED[-14] no api session token set for ziti_controller
(73902)[ 145.111] WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(73902)[ 145.111] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/home/user/tunnel/client1.json] context event : status is failed to authenticate
(73902)[ 145.111] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/home/user/tunnel/client1.json] failed to connect to controller due to failed to authenticate

Do you see the error ?

Hi @Opi, you have a lot in this post. Let's level-set? It sounds like you want to use certificate-based auth for primary auth and oidc for secondary auth? Is that the end goal? That's how i read your post. I tested that myself but it didn't appear to work for me either. I'll talk to the team and see if we can confirm it's a bug or if I tested it wrong myself.

Hi,

Yes correct, i want to use certificat-based for primary and OIDC for secondary

My auth Policy

{
"name": "2fa",
"primary": {
"cert": {
"allowExpiredCerts": true,
"allowed": true
},
"extJwt": {
"allowed": false,
"allowedSigners": [
"5VhSXwAdVBSg4XWR4hyw0Q"
]
},
"updb": {
"allowed": false,
"lockoutDurationMinutes": 0,
"maxAttempts": 0,
"minPasswordLength": 5,
"requireMixedCase": false,
"requireNumberChar": false,
"requireSpecialChar": false
}
},
"secondary": {
"requireExtJwtSigner": "5VhSXwAdVBSg4XWR4hyw0Q",
"requireTotp": false
},
"tags": {}
}

And this is the error on the controller side:

{"authMethod":"ext-jwt","authPolicyId":"3jTdVa2wfDTqBevNlgDJzf","error":"primary external jwt processing failed on authentication policy [3jTdVa2wfDTqBevNlgDJzf]: primary external jwt authentication on auth policy is disabled","expectedAudience":"openziti","extJwtSignerId":"5VhSXwAdVBSg4XWR4hyw0Q","file":"github.com/openziti/ziti/controller/model/authenticator_mod_ext_jwt.go:88","func":"github.com/openziti/ziti/controller/model.(*candidateResult).LogResult","identityId":"UVtC98eZL7","issuer":"https://xxx.xx.xx/realms/cybx","level":"error","msg":"failed to validate candidate JWT at index 0","time":"2025-11-07T15:00:47.357Z","tokenAudiences":"openziti,gitlab,account"}
{"authMethod":"ext-jwt","file":"github.com/openziti/ziti/controller/model/authenticator_mod_ext_jwt.go:422","func":"github.com/openziti/ziti/controller/model.(*AuthModuleExtJwt).process","level":"error","msg":"encountered 1 candidate JWTs and all failed to validate for primary authentication, see the following log messages","time":"2025-11-07T15:00:57.360Z"}

Hello,

More information about this ?
Thx a lot

We have been testing the situation and as I recall it was found to be a bug. We're working through fixing that bug but there's a lot of things happening lately.

I think when this issue closes, the next release of the ZDEW with that sdk version should work. Secondary Auth via ext-jwt-signer fails · Issue #919 · openziti/ziti-sdk-c · GitHub