You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In a nutshell, the grant type involves the following steps:
Exchanging a token
This uses a new grant type of urn:ietf:params:oauth:grant-type:token-exchange and allows the requester to identify and authenticate themselves. Here, API1 is swapping the token it received for access to API2.
The subject token is the token sent by the client application, delegated by the user. Since this token was delegated using OAuth, the subject token type is urn:ietf:params:oauth:token-type:access_token (an access token).
POST /tokenHost: auth.example.comContent-Type: application/x-www-form-urlencodedgrant_type=urn:ietf:params:oauth:grant-type:token-exchange&client_id=api1&client_secret=secret&scope=api2&subject_token=accVkjcJyb4BWCxGsndESCJQbdFMogUC5PbRDqceLTC&subject_token_type=urn:ietf:params:oauth:token-type:access_token
Token exchange response
The token response for token exchange is then slightly different than what you are used to:
The issued_token_type tells API1 (now acting as a client application) that it has sent back an access token. This allows API1 to understand how to use the token it has just received. In this case, it’s an access token that it can use to access a protected resource (API2).
The access token
The initial token was delegated by user, to the client application app, and you’re still acting on their behalf. But, by using the act claim set, you can show that api1 is the current actor. At the very least, this would be valuable for audit trials.
In addition to the act claim type, the Authorized Actor claim type (may_act) allows you to explicitly state who is allowed to act on someone’s behalf. For instance, if you wanted to explicitly state that api1 is authorized to act on app’s behalf, then the original access token API1 receives, may look like:
Now, when validating a token exchange request, the authorization server can check that the subject token has this may_act and that it includes the ID of the token exchange requester.
Use Cases
Token Exchange is great for API-to-API delegation, stuff like customer service acting on behalf of a customer, and preserving clear audit trails across services, as well as checking that zero trust checkbox on your compliance terms thoroughly.
I would love to see token exchange being implemented in oauth2-server, and subsequently in Laravel Passport. I have quite a bit of experience working with OAuth in PHP and would like to contribute to this, if there's any interest in implementing that grant type.
The text was updated successfully, but these errors were encountered:
In the mean time, I've actually implemented the grant type in our production authorisation server, and it's pretty straight forward.
What I'm unsure about is how to generalise the conditions to issue a token - the exchange grant is meant to be flexible and tightly integrated with application logic; but that could be worked out, I think.
Definitely interested in an implementation. The problem I have just now is trying to get a new main version out which is unfortunately taking up most of my time but would welcome a PR. I just can't promise it will get merged in too quickly unfortunately as it will definitely miss v9.
Token exchange is a new grant type defined by the IETF providing support for impersonation and delegation scenarios, such as the following:
Illustration by Scott Brady
In a nutshell, the grant type involves the following steps:
Exchanging a token
This uses a new grant type of
urn:ietf:params:oauth:grant-type:token-exchange
and allows the requester to identify and authenticate themselves. Here, API1 is swapping the token it received for access to API2.The subject token is the token sent by the client application, delegated by the user. Since this token was delegated using OAuth, the subject token type is
urn:ietf:params:oauth:token-type:access_token
(an access token).Token exchange response
The token response for token exchange is then slightly different than what you are used to:
The
issued_token_type
tells API1 (now acting as a client application) that it has sent back an access token. This allows API1 to understand how to use the token it has just received. In this case, it’s an access token that it can use to access a protected resource (API2).The access token
The initial token was delegated by user, to the client application app, and you’re still acting on their behalf. But, by using the
act
claim set, you can show thatapi1
is the current actor. At the very least, this would be valuable for audit trials.In addition to the
act
claim type, the Authorized Actor claim type (may_act
) allows you to explicitly state who is allowed to act on someone’s behalf. For instance, if you wanted to explicitly state thatapi1
is authorized to act onapp
’s behalf, then the original access token API1 receives, may look like:Now, when validating a token exchange request, the authorization server can check that the subject token has this may_act and that it includes the ID of the token exchange requester.
Use Cases
Token Exchange is great for API-to-API delegation, stuff like customer service acting on behalf of a customer, and preserving clear audit trails across services, as well as checking that zero trust checkbox on your compliance terms thoroughly.
I would love to see token exchange being implemented in oauth2-server, and subsequently in Laravel Passport. I have quite a bit of experience working with OAuth in PHP and would like to contribute to this, if there's any interest in implementing that grant type.
The text was updated successfully, but these errors were encountered: