Description

We could provide new SPIs like a TokenExchangePolicyProvider and an ImpersonationPolicyProvider to enable developers to define their own token-exchange / impersonation policies without requiring the use of the Authorization Services.

We could provide default implementations that use the Authorization Service as they are currently used now to ensure backwards compatibility. Users with specific needs can then use their own implementations.

Discussion

No response

Motivation

Currently, the token-exchange and impersonation functionality heavily relies on the Authorization Services and Fine Grained Authorization (also a preview feature). Even though the Authorization Services have potent capabilities, they still need to be simplified and easier to use.

A more straightforward way of configuring token-exchange and impersonation "policies" is in high demand.

Details

No response