deft/notes/token_exchange_in_iroh_auth.org

:PROPERTIES:
:ID:       97cfc6a5-3522-4ebc-99c6-704740ea97e8
:END:
#+TITLE: Token Exchange in IROH-Auth
#+Author: Yann Esposito
#+Date: [2022-04-26]
- tags :: [[id:91f33b35-6e4e-4213-b214-972ee20722df][Cisco]] [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
- source ::

- Token Exchange RFC :: https://www.rfc-editor.org/rfc/rfc8693.html

* Token Exchange

Token Exchange RFC describe an OAuth2 extension to support Token Exchanges.
With that RFC you could exchange an access token with another one.

It would immediately be useful to support the following features:

- provide impersonate ability to trusted clients

The RFC propose to use the existing ~/token~ endpoint.

Here would be an example for account switching:

#+begin_src http :pretty
POST /iroh/oauth2/token
Authorization: Basic XXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
 &subject_token=JWT_WHERE_SUB_IS_USER_ID
 &subject_token_type=
  urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
 &audience=iroh
 &scope=profile
#+end_src

The call takes:

- Authorization contain the info about the Client (id + secret)
- Some JWT signed by the client containing some SecureX ~user-id~
- optionally a list of scopes
- optionally some audience

And should return an access token of this user.
So we could provide a client that would just need to know some user-id to
be able to get a JWT of this user.
* Token Exchange support Okta tokens

The end goal is to provide a mechanism for a team that support Okta login to
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:03:46 +00:00			`:PROPERTIES:`
			`:ID: 97cfc6a5-3522-4ebc-99c6-704740ea97e8`
			`:END:`
			`#+TITLE: Token Exchange in IROH-Auth`
			`#+Author: Yann Esposito`
			`#+Date: [2022-04-26]`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:06:11 +00:00			`- tags :: [[id:91f33b35-6e4e-4213-b214-972ee20722df][Cisco]] [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:03:46 +00:00			`- source ::`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:06:11 +00:00
			`- Token Exchange RFC :: https://www.rfc-editor.org/rfc/rfc8693.html`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:07:23 +00:00
			`* Token Exchange`

notes/token_exchange_in_iroh_auth.org 2022-04-26 14:08:59 +00:00			`Token Exchange RFC describe an OAuth2 extension to support Token Exchanges.`
			`With that RFC you could exchange an access token with another one.`

			`It would immediately be useful to support the following features:`

			`- provide impersonate ability to trusted clients`

			`The RFC propose to use the existing ~/token~ endpoint.`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:10:13 +00:00
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:17:48 +00:00			`Here would be an example for account switching:`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:10:13 +00:00
notes/token_exchange_in_iroh_auth.org 2022-04-26 15:05:04 +00:00			`#+begin_src http :pretty`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:10:13 +00:00			`POST /iroh/oauth2/token`
			`Authorization: Basic XXXXXXXXXXXXX`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:17:48 +00:00			`&subject_token=JWT_WHERE_SUB_IS_USER_ID`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:10:13 +00:00			`&subject_token_type=`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:14:42 +00:00			`urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:27:36 +00:00			`&audience=iroh`
			`&scope=profile`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:10:13 +00:00			`#+end_src`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:14:42 +00:00
			`The call takes:`

notes/token_exchange_in_iroh_auth.org 2022-04-26 14:26:14 +00:00			`- Authorization contain the info about the Client (id + secret)`
			`- Some JWT signed by the client containing some SecureX ~user-id~`
			`- optionally a list of scopes`
			`- optionally some audience`
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:27:36 +00:00
notes/token_exchange_in_iroh_auth.org 2022-04-26 14:28:37 +00:00			`And should return an access token of this user.`
			`So we could provide a client that would just need to know some user-id to`
			`be able to get a JWT of this user.`
notes/token_exchange_in_iroh_auth.org 2022-06-01 08:37:10 +00:00			`* Token Exchange support Okta tokens`

			`The end goal is to provide a mechanism for a team that support Okta login to`