Token Exchange Use Case example
The Token Exchange grant is a simple request-response sequence, as shown below.
Token Exchange request
Example
POST 'https://tx.ergon.ch/tx/rest/oauth2/authorization-servers/mytx/token?client_id=client'
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&scope=openid%20email
&audience=backend_host
&subject_token=eyJraWQiO...5T6_Iw
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&resource=https%3A%2F%2Fexample.com%2Fresource
Token Exchange response
Example
HTTP/1.1 200 OK
{
"access_token": "eyJraWQiO...8hQidQ",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"scope": "email",
"token_type": "Bearer",
"expires_in": 180
} Token Exchange request with actor_token
Example
POST 'https://tx.ergon.ch/tx/rest/oauth2/authorization-servers/mytx/token?client_id=client'
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&scope=openid%20email
&audience=backend_host
&subject_token=eyJraWQiO...5T6_Iw
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&actor_token=eyBrntwIq...265_Iw
&actor_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&resource=https%3A%2F%2Fexample.com%2Fresource
Token Exchange access token with act claim
Example
{
"aud":"backend_host",
"iss":"https://tx.ergon.ch/backend/",
"exp":1443904100,
"nbf":1443904000,
"sub":"user@example.com",
"act":
{
"sub":"helpdesk@example.com",
"iss":"https://tx.ergon.ch/frontend/",
"act":
{
"sub":"helpdesk@example.com",
"iss":"https://tx.ergon.ch/user_idp/"
}
}
} Further information and links
Internal links:
- See also Token Exchange Configuration.
- See also Token Exchange service overview.
- An example of an Authorization Code flow is given here: Authorization code flow usage.