Token Exchange Configuration


To configure a Token Exchange server (TX) the following prerequisites must be met:

  • Prerequisites for the supplier of the subject tokens
  • The access or ID token supplied must be a JWT token.
  • The issuer must be an OpenID Provider that exposes the standard Discovery Endpoint. The TX uses this endpoint to obtain the key material to verify the token.
  • Prerequisites for the TX server
  • Airlock IAM must already be configured as an OpenID Provider or an Authorization Server.


  1. Configure the OAuth 2.0 Token Exchange plugin
  2. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> OAuth 2.0 Grants/OIDC Flows
  3. Create an OAuth 2.0 Token Exchange Grant plugin
  4. The Token Exchange server plugin is ready for configuration.
  1. Subject Token Validation
  2. In Subject Token Validation create an OpenID Connect Discovery Subject Token Validation plugin.
  3. Configure the plugin with a list of Allowed Token Issuers. The issuer claim from the subject token provided in the token exchange request must match one entry in this list.
  4. Configure the plugin with an HTTP Client. The HTTP Client is used to connect to the discovery endpoint of the token issuer. Make sure the Security Settings are configured restrictively and will only trust the certificate of the discovery endpoint.
  5. The Token Exchange server is ready to verify subject tokens.
  1. Token Exchange Rules
  2. Configure at least one JWT Token Exchange Rule plugin.
  3. Configure a Requested Resource Or Audience Condition plugin with regex patterns to match the resource or audience parameters of the token exchange requests. If multiple JWT Token Exchange Rule plugins are configured the first matching Requested Resource Or Audience Condition decides with JWT Token Exchange Rule will be used to generate the exchanged token.
  4. Configure Issued Token Type value and Token Validity Lifetime [s].
    The purpose of the Issued Token Type is simply to inform the client about the token format issued by the Token Exchange server.
  5. Configure the standard claims:
    • Audience Claim
    • Subject Claim
    • Actor Claim
    • Client Id Claim
  6. Optionally configure Custom Claims
  7. Configure the Scope Handling. It is possible to copy scopes from the subject token, from the request and to add static scopes.
  8. Add a Signature to the token by configuring a JWT Access Token Private Key Signature plugin.
  9. A Token Exchange Rule is configured that will generate an exchanged token with data from the subject token, from the request or statically supplied data.