Organization-scoped token exchange

[NikiforovAll]

Status: Not relevant yet

Keycloak does not currently have an organization-specific token exchange flow. The standard token exchange (urn:ietf:params:oauth:grant-type:token-exchange) works as before — organization context is carried via session notes and resolved from requested scopes (e.g., scope=organization:acme-corp).

This issue is a placeholder to track when Keycloak implements dedicated organization-scoped token exchange.

Related

• Keycloak Organizations Epic: Keycloak Organizations keycloak/keycloak#30180
• See organization authorization support issue (linked)

When to revisit

When Keycloak ships organization-scoped roles or dedicated org token exchange endpoints.

[NikiforovAll]

Related: #197 (organization authorization support)

[github-actions]

🤖 This is an automated response from KeyBot.

Thanks for tracking this! You've summarized the current state accurately — Keycloak does not yet have a dedicated organization-scoped token exchange flow. The standard urn:ietf:params:oauth:grant-type:token-exchange grant works as-is, with organization context resolved via session notes and scope=organization:<name> parameters.

When Keycloak eventually ships this capability, here's what this library will likely need:

What to watch for in Keycloak

1. New grant type or scope parameter for requesting an organization-scoped token (tracked in the Keycloak Organizations Epic)
2. Organization-scoped roles in the access token (currently, organization membership lives in organizations claim, not as realm/client roles)
3. Token exchange endpoint changes — new request/response parameters

What the library would need

Once Keycloak ships the feature:

1. Protection API SDK (IKeycloakProtectionClient or a new IKeycloakOrganizationClient) — new method to request an organization-scoped token
2. Authorization handler — similar to ParameterizedProtectedResourceRequirement, but for org-scoped token exchange
3. Minimal API integration — extension like .RequireOrganizationScope("acme-corp")

For now, organization membership/role checks are already supported via RequireOrganizationMembership() and RequireOrganizationRole() (see [organization-authorization docs]((nikiforovall.github.io/redacted) No token exchange is needed for those.

This placeholder is in the right place — revisiting when Keycloak releases org-scoped token exchange support makes sense.

Generated by 🤖 KeyBot. Learn more.

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@1f672aef974f4246124860fc532f82fe8a93a57e