OpenID Connect Token Exchange¶
Presentation¶
Token exchange is the process of using a set of credentials or token to obtain
an entirely different token, for example to get access to an application not
included in current access_token
.
Available Token Exchange systems¶
Tip
The Lemonldap::NG::Portal::Lib::OIDCTokenExchange
base class allow
developers to easily write some other token exchange systems. See
its manpage.
Internal Token Exchange¶
LLNG provide an internal OIDC token exchange system that allows an OIDC relying party to ask for an access_token available for another.
Configuration¶
The only thing to configure is to add a list of Relying Party authorized to ask for an access_token into the destination Relying Party. This list contains a space separated of Relying Party names (use the internal LLNG name, not the client ID): “OpenID Connect Relying Party » dest » Options » Advanced » Other RP allowed to exchange access_token”.
How to use it¶
Request parameters:
Authentication (RP source):
client_id
: the client identifierclient_secret
if client isn’t publicsubject_token
: the currentaccess_token
Oauth2 parameters:
grant_type
must beurn:ietf:params:oauth:grant-type:token-exchange
subject_token_type
(optional), onlyurn:ietf:params:oauth:token-type:access_token
is supported hererequested_token_type
(optional), onlyurn:ietf:params:oauth:token-type:access_token
is supported here
Target:
audience
: the client identifier of the target (not the internal LLNG name)
Exemple:
curl -X POST \
-d "client_id=clientIdSrc" \
--data-urlencode "client_secret=ClientSecretSrc" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
--data-urlencode "subject_token=accessTokenString" \
--data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "audience=target-client" \
http://auth.example.com/oauth2/token