Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Improve control over audience and scope for token-exchange #31553

New issue
New issue
Open
enhancement
Open
Improve control over audience and scope for token-exchange#31553
enhancement
Labels
area/token-exchangearea/token-exchange/standardIssues related to standard token exchange (internal-internal)kind/enhancementCategorizes a PR related to an enhancementstatus/needs-discussionPR needs discussion on developer mailing listteam/core-clients
@thomasdarimont

Description

@thomasdarimont
thomasdarimont
opened on Jul 23, 2024

Description

Users should be able to perform the following via token-exchange:

  • Reduce the scopes (downscope) of an access token, returning a token with fewer scopes
  • Reduce the audiences (downaudience) an access token, returning a token with fewer audiences
  • Change the audience (aud) of the target token during token exchange
  • Change the authorized party (azp) of the target token during token exchange

Discussion

#26502

Motivation

The token-exchange feature is used for a lot of different use-cases as the token-exchange use-case discussion showed.

We should make it easier to support the mentioned use-cases in a secure and maintainable way.

Details

Other identity providers like curity give users more control over token-exchange: https://curity.io/docs/idsvr/latest/token-service-admin-guide/oauth-flows/index.html#default-oauth-2-0-token-exchange-behaviour

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/token-exchangearea/token-exchange/standardIssues related to standard token exchange (internal-internal)kind/enhancementCategorizes a PR related to an enhancementstatus/needs-discussionPR needs discussion on developer mailing listteam/core-clients

    Type

    enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions