Unable to exchange for google access token. Err: identity provider is not linked

[stmsevanya]

I cloned the repo. Started the server on localhost. Imported the realm. Created a user in Users. Generated new client id and secret for Keycloak. Added new client id and secret for google from my google console. Got the access token from keycloak with the step shown in https://youtu.be/LMiS9OYBooI?t=932 . After getting access_token, I tried exchanging it for google access token, but get the error from postman as follows:
Response:
{
"error_description": "identity provider is not linked",
"account-link-url": "http://localhost:8080/realms/czetsuyatech/broker/google/link?nonce=754af160-297a-4f9a-a5c7-4433323b409b&hash=vN9n9xo6UwZ4gz6p010XIgO186lHZNQO-0Q6MX5EJZc&client_id=web-front",
"error": "not_linked"
}

My postman request was this:
curl --location 'http://localhost:8080/realms/czetsuyatech/protocol/openid-connect/token'
--header 'Accept: application/json'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=web-front'
--data-urlencode 'client_secret=wctUSTlUEJvDfSKW0FJXlYqJ124oArDF'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange'
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
--data-urlencode 'requested_issuer=google'
--data-urlencode 'subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJNTnR3MHdwNi03NXZrdXEwbWpkaDN0eXhmQnpFYTQzTUNkSktJMVdlUWcwIn0.eyJleHAiOjE3MjUxODQyNTgsImlhdCI6MTcyNTE4MjQ1OCwiYXV0aF90aW1lIjoxNzI1MTEwNTA0LCJqdGkiOiI1MDMzYmZmYi0zYTRkLTRkY2MtYWFmYS0wNGVlOGFlOWIzOGYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL2N6ZXRzdXlhdGVjaCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI3NDI0MmM3NS02NDdjLTQwNzEtODJjMi1hOTAxM2M5OTgyZTAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ3ZWItZnJvbnQiLCJzZXNzaW9uX3N0YXRlIjoiZDUwZjZjMjYtOGE4Ni00MDU0LTgyZTMtZjYxZDhkMDRmNDhjIiwiYWNyIjoiMCIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLWN6ZXRzdXlhdGVjaCIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiZDUwZjZjMjYtOGE4Ni00MDU0LTgyZTMtZjYxZDhkMDRmNDhjIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6InNldmFueWFzYXR5YW1AZ21haWwuY29tIiwiZ2l2ZW5fbmFtZSI6IiIsImZhbWlseV9uYW1lIjoiIiwiZW1haWwiOiJzZXZhbnlhc2F0eWFtQGdtYWlsLmNvbSJ9.PXppGR7EY3rOg1sNYThFezocq5zD8Og1JgRpYYS4_3IMUOxumJGpVW836F5Y524Kiy7G_3V1phHrO980Gjs7LV6-eprkUOZz6K_oXGXXFZcd-oVKQmxfDR8sX3xul7KvGqvTV16id9ymjl7DFswSsOJRjhQ3JGt5h1g1RQOntbOjd5uDHMGms7Nivz1AhiffQ6MIueLttKOStIDzq0yE_VPdNkGUmY38UoKilMx1AKqu7OZdaSuquvTrcRPKAzpzGenS2POCVdAQn6zV-hgbCdjs5qELnWnaEO4H2YV4JNxYfsPbOqOuSiWgQ_XTIovIrUpWp9sXczP_N8P3MUuNKQ'
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token'

From docker logs I see following error/warning:
[org.keycloak.events] (executor-thread-122) type=TOKEN_EXCHANGE_ERROR, realmId=1bfbd22e-5514-407e-9482-c1d4dc7c2646, clientId=web-front, userId=null, ipAddress=192.168.65.1, error=invalid_token, reason='requested_issuer is not linked', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_issuer=google, client_auth_method=client-secret

Any idea what I am missing?

[stmsevanya]

Able to bypass this error when I select SignInWith Google instead of just SignIn.

Wondering is there anyway, to get access token for account which can not be google linked. Let say if I want to sign in Keycloak with my icloud.com account and want to perform google-token-exchange for that so I can get google access token for that icloud account

[czetsuya]

Hi @stmsevanya I don't think it's supported by the current release: https://www.keycloak.org/docs/25.0.2/securing_apps/#_token-exchange.