2.1 KiB
2.1 KiB
Token Exchange in IROH-Auth
- tags
- Cisco Auth
- source
- Token Exchange RFC
- https://www.rfc-editor.org/rfc/rfc8693.html
Token Exchange
Token Exchange RFC describe an OAuth2 extension to support Token Exchanges. With that RFC you could exchange an access token with another one.
It would immediately be useful to support the following features:
- provide impersonate ability to trusted clients
The RFC propose to use the existing /token
endpoint.
Here would be an example for account switching:
POST /iroh/oauth2/token
Authorization: Basic XXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&subject_token=JWT_WHERE_SUB_IS_USER_ID
&subject_token_type=
urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
&audience=iroh
&scope=profile
The call takes:
- Authorization contain the info about the Client (id + secret)
- Some JWT signed by the client containing some SecureX
user-id
- optionally a list of scopes
- optionally some audience
And should return an access token of this user. So we could provide a client that would just need to know some user-id to be able to get a JWT of this user.
Token Exchange support Okta tokens
The end goal is to provide a mechanism for a team that support Okta login to retrieve tokens from SecureX for the User's accounts.
This Document Terminology
- SecureX user or simply user => a SecureX user belongs to a known org
- SecureX org or simply org => The org in SecureX
- SecureX account or simply account => a couple SecureX user with its associated SecureX org
- User Identity or IdP User or Okta User => a user identified via an IdP. Such a user can reach potentially multiple SecureX accounts.
- tenant => can be assimilated to SecureX org in this document
Token Exchange RFC
To reduce to the essential the Token Exchange RFC using our own terminology: