Deploying to main from @ 98e697377d4f524953b6b1141f0c695b12b8f0c4 🚀

Author: mposolda

2025/05/standard-token-exchange-kc-26-2.html

@@ -0,0 +1,174 @@
+
+<!doctype html>
+<html lang="en" prefix="og: https://ogp.me/ns#">
+<head>
+<script async src="https://www.googletagmanager.com/gtag/js?id=G-0J2P9316N6"></script>
+<script>
+window.dataLayer = window.dataLayer || [];
+function gtag(){dataLayer.push(arguments);}
+gtag('js', new Date());
+gtag('config', 'G-0J2P9316N6');
+</script>
+<meta charset="utf-8"/>
+<title>Standard Token Exchange is now officially supported in Keycloak 26.2 - Keycloak</title>
+<meta name="twitter:card" content="summary_large">
+<meta name="twitter:site" content="@keycloak">
+<meta property="og:site_name" content="Keycloak">
+<meta property="og:title" content="Standard Token Exchange is now officially supported in Keycloak 26.2">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="description" property="og:description" content="Keycloak 26.2 brings Token Exchange out of preview with an officially supported version compliant with OAuth 2.0 Token Exchange specification.">
+<meta name="author" content="Giuseppe Graziano">
+<meta name="keywords" content="sso,idm,openid connect,saml,kerberos,ldap">
+<link href="https://www.keycloak.org/resources/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
+<link href="https://www.keycloak.org/resources/@fortawesome/fontawesome-free/css/all.min.css" rel="stylesheet">
+<link href="https://www.keycloak.org/resources/css/keycloak.css" rel="stylesheet">
+<link rel="canonical" href="https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2">
+<meta property="og:url" content="https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2">
+<link rel="shortcut icon" href="https://www.keycloak.org/resources/favicon.ico">
+<script src="https://www.keycloak.org/resources/bootstrap/dist/js/bootstrap.min.js" type="text/javascript"></script>
+<script src="https://www.keycloak.org/resources/tocbot/dist/tocbot.min.js" type="text/javascript"></script>
+<link rel="alternate" type="application/rss+xml" title="Keycloak's Blog" href="https://www.keycloak.org/rss.xml">
+<script type="application/ld+json">
+{"@context":"https://schema.org/","@type":"BlogPosting","@id":"https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2","headline":"Standard Token Exchange is now officially supported in Keycloak 26.2","name":"Standard Token Exchange is now officially supported in Keycloak 26.2","datePublished":"2025-05-26T08:00:00Z","inLanguage":"en","abstract":"Keycloak 26.2 brings Token Exchange out of preview with an officially supported version compliant with OAuth 2.0 Token Exchange specification.","url":"https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2","publisher":{"@type":"Organization","@id":"https://keycloak.org","name":"Keycloak"},"author":[{"@type":"Person","name":"Giuseppe Graziano"}]}
+</script></head>
+<body>
+
+<header class="navbar navbar-expand-md bg-light shadow-sm">
+<nav class="container-xxl flex-wrap flex-md-no-wrap navbar-light" data-nosnippet>
+    <a class="navbar-brand me-3 me-md-4 me-lg-5" href="https://www.keycloak.org/">
+        <img class="img-fluid" src="https://www.keycloak.org/resources/images/logo.svg" width="240" alt="Keycloak"/>
+    </a>
+    <a class="nav-link d-none d-sm-block d-md-none d-lg-block" href="https://github.com/keycloak/keycloak"><img src="https://img.shields.io/github/stars/keycloak/keycloak?label=GitHub%20Stars" style="height: 25px" alt="GitHub stars"/></a>
+    <a class="nav-link d-block d-sm-none d-md-block d-lg-none" href="https://github.com/keycloak/keycloak"><img src="https://img.shields.io/github/stars/keycloak/keycloak?label=" style="height: 25px" alt="GitHub stars"/></a>
+    <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
+      <span class="fa fa-bars fa-lg px-1 py-2"></span>
+    </button>
+    <div class="collapse navbar-collapse" id="navbarCollapse">
+      <ul class="navbar-nav flex-row flex-wrap bd-navbar-nav pt-2 py-md-0">
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/guides">Guides</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/documentation">Docs</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/downloads">Downloads</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/community">Community</a>
+        </li>
+        <li class="nav-item col-6 col-md-auto">
+          <a class="nav-link " href="https://www.keycloak.org/blog">Blog</a>
+        </li>
+      </ul>
+    </div>
+</nav>
+</header>
+
+
+<div class="container mt-5 kc-article">
+    <h1>Standard Token Exchange is now officially supported in Keycloak 26.2</h1>
+    <p class="blog-date text-muted">May 26 2025 by Giuseppe Graziano</p>
+
+
+<div class="paragraph">
+<p>The Token Exchange feature has been available in Keycloak for a long time, but only as a preview feature. With the release of
+<strong>Keycloak 26.2</strong>, we&#8217;re happy to share that <strong>Standard Token Exchange is now officially supported</strong> and fully compliant with <a href="https://datatracker.ietf.org/doc/html/rfc8693">OAuth 2.0 Token Exchange (RFC 8693)</a>.</p>
+</div>
+<div class="sect1">
+<h2 id="_what_is_token_exchange">What is Token Exchange? 🔄</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Token Exchange is a mechanism that allows a client to exchange one token for another. In the context of Keycloak, this means a client can exchange a token originally issued for another client and receive a new token issued specifically for itself.</p>
+</div>
+<div class="paragraph">
+<p>Token Exchange is especially helpful in these scenarios:</p>
+</div>
+<div class="sect2">
+<h3 id="_different_audience">🎯 Different Audience</h3>
+<div class="paragraph">
+<p>When a token was issued for one service but needs to be used to access another, Token Exchange can issue a new token with the appropriate audience.</p>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_scoped_permissions">🔐 Scoped Permissions</h3>
+<div class="paragraph">
+<p>If a client needs to access a service with more limited permissions, it can exchange its token for one with reduced or more specific scopes.</p>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_whats_new">What&#8217;s new? 🆕</h2>
+<div class="sectionbody">
+<div class="ulist">
+<ul>
+<li>
+<p>✅ Official support (no longer a preview feature)</p>
+</li>
+<li>
+<p>📘 Compliance with RFC 8693 (OAuth 2.0 Token Exchange)</p>
+</li>
+<li>
+<p>🖱️ Simple configuration via the Admin Console (just a switch in client settings)</p>
+</li>
+<li>
+<p>🛡️ Integration with Client Policies to enforce custom rules. You can restrict exchanges to specific clients, or deny exchanges based on requested scopes.</p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_how_to_get_started">How to get started 🚀</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>If you&#8217;re using Keycloak 26.2 or later, there&#8217;s nothing extra to enable. Token Exchange is ready to use, just open the client settings in the admin console and enable the dedicated switch.</p>
+</div>
+<div class="paragraph">
+<p>If you&#8217;re still using the preview feature of token exchange, check the <a href="https://www.keycloak.org/docs/latest/upgrading/index.html#supported-standard-token-exchange">migration guide</a> and the <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-comparison">comparison</a> to understand the differences and plan your migration.</p>
+</div>
+<div class="paragraph">
+<p>📄 For full setup instructions and configuration details, refer to the <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange">official documentation</a>.</p>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="_whats_next">What’s next? 🔍</h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>We’re continuing to expand Token Exchange support with future enhancements such as:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>🔄 Exchanging tokens issued by external identity providers</p>
+</li>
+<li>
+<p>👤 Using token exchange to impersonate users</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Stay tuned for updates in upcoming releases.</p>
+</div>
+<hr>
+<div class="paragraph">
+<p>We’d love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.</p>
+</div>
+</div>
+</div></div>
+
+
+<div class="container mt-5" data-nosnippet>
+    <footer class="py-3 my-4 border-top">
+        <p class="text-center text-muted">Keycloak is a Cloud Native Computing Foundation incubation project</p>
+        <div class="text-center">
+            <img alt="Cloud Native Computing Foundation" src="https://www.keycloak.org/resources/images/cncf_logo.png"/>
+        </div>
+        <p class="mt-4 text-center small text-muted">&copy; Keycloak Authors 2025. &copy; 2025 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage">Trademark Usage page</a>.</p>
+    </footer>
+</div>
+
+</body>
+</html>

blog-archive.html

@@ -84,6 +84,11 @@ <h2>2025</h2>
 
             <h3>May</h3>
 
+        <ul>
+            <li><a href="https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2">Standard Token Exchange is now officially supported in Keycloak 26.2</a></li>
+        </ul>
+
+
         <ul>
             <li><a href="https://www.keycloak.org/2025/05/hitachi-case-study">Hitachi Keycloak case study published</a></li>
         </ul>

blog.html

@@ -66,6 +66,23 @@
 <div class="jumbotron jumbotron-fluid bg-light kc-bg-triangles pt-4 pb-2">
     <div class="container">
         <div class="row">
+        <div class="col-sm-6">
+            <div class="card shadow-sm mb-4">
+                <div class="card-body">
+                    <h4 class="card-title" >
+                        Standard Token Exchange is now officially supported in Keycloak 26.2
+                    </h4>
+                    <div class="card-text">Keycloak 26.2 brings Token Exchange out of preview with an officially supported version compliant with OAuth 2.0 Token Exchange specification.</div>
+                    <a href="https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2" class="stretched-link link-dark"></a>
+                </div>
+                <div class="card-footer align-items-center d-flex">
+                    <span class="card-subtitle fs-xsmall text-muted">
+                        26 May 2025
+                        by Giuseppe Graziano
+                    </span>
+                </div>
+            </div>
+        </div>
         <div class="col-sm-6">
             <div class="card shadow-sm mb-4">
                 <div class="card-body">
@@ -182,23 +199,6 @@ <h4 class="card-title" style="margin-bottom:0">
                 </div>
             </div>
         </div>
-        <div class="col-sm-6">
-            <div class="card shadow-sm mb-4">
-                <div class="card-body">
-                    <h4 class="card-title" >
-                        Announcing Keycloak's Identity Summit: KEYCONF25
-                    </h4>
-                    <div class="card-text">Join us in Amsterdam on August 28th, 2025 for an even bigger event than last year!</div>
-                    <a href="https://www.keycloak.org/2025/04/keyconf25-amsterdam-announce" class="stretched-link link-dark"></a>
-                </div>
-                <div class="card-footer align-items-center d-flex">
-                    <span class="card-subtitle fs-xsmall text-muted">
-                        28 April 2025
-                        by Nathalia Pinesi
-                    </span>
-                </div>
-            </div>
-        </div>
         </div>
         <div class="row">
             <div class="col">

extensions.html

@@ -137,7 +137,7 @@ <h5 class="card-title">BundID Integration</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span>15 stars</span>
+                                        <span>16 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -419,7 +419,7 @@ <h5 class="card-title">Magic Link Login</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span>293 stars</span>
+                                        <span>294 stars</span>
                                     </div>
                                 </div>
                         </div>

index.html

@@ -96,13 +96,13 @@ <h1 class="fs-xlarge">Open Source Identity and Access Management</h1>
     <div class="row">
         <div class="col-md-1 col-sm-12 fw-bold">News</div>
         <div class="col">
-            <span class="badge bg-secondary">19 May</span> <a href="https://www.keycloak.org/2025/05/hitachi-case-study">Hitachi Keycloak case study published</a>
+            <span class="badge bg-secondary">26 May</span> <a href="https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2">Standard Token Exchange is now officially supported in Keycloak 26.2</a>
         </div>
         <div class="col">
-            <span class="badge bg-secondary">18 May</span> <a href="https://www.keycloak.org/2025/05/send-mails-xoauth-26-2">Secure email delivery with XOAUTH2</a>
+            <span class="badge bg-secondary">19 May</span> <a href="https://www.keycloak.org/2025/05/hitachi-case-study">Hitachi Keycloak case study published</a>
         </div>
         <div class="col">
-            <span class="badge bg-secondary">15 May</span> <a href="https://www.keycloak.org/2025/05/opentalk-case-study">OpenTalk Keycloak case study published</a>
+            <span class="badge bg-secondary">18 May</span> <a href="https://www.keycloak.org/2025/05/send-mails-xoauth-26-2">Secure email delivery with XOAUTH2</a>
         </div>
     </div>
 </div>

rss.xml

@@ -8,6 +8,101 @@
   <description>Keycloak Blog</description>
   <language>en-us</language>
   <category>Keycloak/SSO/Identity and Access Management</category>
+      <item>
+        <title>Standard Token Exchange is now officially supported in Keycloak 26.2</title>
+        <link>https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2</link>
+        <description>&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;The Token Exchange feature has been available in Keycloak for a long time, but only as a preview feature. With the release of
+&lt;strong&gt;Keycloak 26.2&lt;/strong&gt;, we&amp;#8217;re happy to share that &lt;strong&gt;Standard Token Exchange is now officially supported&lt;/strong&gt; and fully compliant with &lt;a href=&quot;https://datatracker.ietf.org/doc/html/rfc8693&quot;&gt;OAuth 2.0 Token Exchange (RFC 8693)&lt;/a&gt;.&lt;/p&gt;
+&lt;/div&gt;
+&lt;div class=&quot;sect1&quot;&gt;
+&lt;h2 id=&quot;_what_is_token_exchange&quot;&gt;What is Token Exchange? 🔄&lt;/h2&gt;
+&lt;div class=&quot;sectionbody&quot;&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;Token Exchange is a mechanism that allows a client to exchange one token for another. In the context of Keycloak, this means a client can exchange a token originally issued for another client and receive a new token issued specifically for itself.&lt;/p&gt;
+&lt;/div&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;Token Exchange is especially helpful in these scenarios:&lt;/p&gt;
+&lt;/div&gt;
+&lt;div class=&quot;sect2&quot;&gt;
+&lt;h3 id=&quot;_different_audience&quot;&gt;🎯 Different Audience&lt;/h3&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;When a token was issued for one service but needs to be used to access another, Token Exchange can issue a new token with the appropriate audience.&lt;/p&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;div class=&quot;sect2&quot;&gt;
+&lt;h3 id=&quot;_scoped_permissions&quot;&gt;🔐 Scoped Permissions&lt;/h3&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;If a client needs to access a service with more limited permissions, it can exchange its token for one with reduced or more specific scopes.&lt;/p&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;div class=&quot;sect1&quot;&gt;
+&lt;h2 id=&quot;_whats_new&quot;&gt;What&amp;#8217;s new? 🆕&lt;/h2&gt;
+&lt;div class=&quot;sectionbody&quot;&gt;
+&lt;div class=&quot;ulist&quot;&gt;
+&lt;ul&gt;
+&lt;li&gt;
+&lt;p&gt;✅ Official support (no longer a preview feature)&lt;/p&gt;
+&lt;/li&gt;
+&lt;li&gt;
+&lt;p&gt;📘 Compliance with RFC 8693 (OAuth 2.0 Token Exchange)&lt;/p&gt;
+&lt;/li&gt;
+&lt;li&gt;
+&lt;p&gt;🖱️ Simple configuration via the Admin Console (just a switch in client settings)&lt;/p&gt;
+&lt;/li&gt;
+&lt;li&gt;
+&lt;p&gt;🛡️ Integration with Client Policies to enforce custom rules. You can restrict exchanges to specific clients, or deny exchanges based on requested scopes.&lt;/p&gt;
+&lt;/li&gt;
+&lt;/ul&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;div class=&quot;sect1&quot;&gt;
+&lt;h2 id=&quot;_how_to_get_started&quot;&gt;How to get started 🚀&lt;/h2&gt;
+&lt;div class=&quot;sectionbody&quot;&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;If you&amp;#8217;re using Keycloak 26.2 or later, there&amp;#8217;s nothing extra to enable. Token Exchange is ready to use, just open the client settings in the admin console and enable the dedicated switch.&lt;/p&gt;
+&lt;/div&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;If you&amp;#8217;re still using the preview feature of token exchange, check the &lt;a href=&quot;https://www.keycloak.org/docs/latest/upgrading/index.html#supported-standard-token-exchange&quot;&gt;migration guide&lt;/a&gt; and the &lt;a href=&quot;https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-comparison&quot;&gt;comparison&lt;/a&gt; to understand the differences and plan your migration.&lt;/p&gt;
+&lt;/div&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;📄 For full setup instructions and configuration details, refer to the &lt;a href=&quot;https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange&quot;&gt;official documentation&lt;/a&gt;.&lt;/p&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;div class=&quot;sect1&quot;&gt;
+&lt;h2 id=&quot;_whats_next&quot;&gt;What’s next? 🔍&lt;/h2&gt;
+&lt;div class=&quot;sectionbody&quot;&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;We’re continuing to expand Token Exchange support with future enhancements such as:&lt;/p&gt;
+&lt;/div&gt;
+&lt;div class=&quot;ulist&quot;&gt;
+&lt;ul&gt;
+&lt;li&gt;
+&lt;p&gt;🔄 Exchanging tokens issued by external identity providers&lt;/p&gt;
+&lt;/li&gt;
+&lt;li&gt;
+&lt;p&gt;👤 Using token exchange to impersonate users&lt;/p&gt;
+&lt;/li&gt;
+&lt;/ul&gt;
+&lt;/div&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;Stay tuned for updates in upcoming releases.&lt;/p&gt;
+&lt;/div&gt;
+&lt;hr&gt;
+&lt;div class=&quot;paragraph&quot;&gt;
+&lt;p&gt;We’d love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.&lt;/p&gt;
+&lt;/div&gt;
+&lt;/div&gt;
+&lt;/div&gt;</description>
+        <guid>https://www.keycloak.org/2025/05/standard-token-exchange-kc-26-2</guid>
+        <pubDate>Mon, 26 May 2025 00:00:00 GMT</pubDate>
+        
+        <author>Giuseppe Graziano</author>
+      </item>
       <item>
         <title>Hitachi Keycloak case study published</title>
         <link>https://www.keycloak.org/2025/05/hitachi-case-study</link>