In {project_name}, token exchange is the process of using a set of credentials or token to obtain an entirely different token.
A client may want to invoke on a less trusted application so it may want to downgrade the current token it has.
A client may want to exchange a {project_token} for a token stored for a linked social provider account.
You may want to trust external tokens minted by other {project_name} realms or foreign IDPs. A client may have a need
to impersonate a user. Here's a short summary of the current capabilities of {project_name} around token exchange.
* A client can exchange an existing {project_name} token created for a specific client for a new token targeted to a different client
* A client can exchange an existing {project_name} token for an external token, i.e. a linked Facebook account
* A client can exchange an external token for a {project_name} token.
* A client can impersonate a user
Token exchange in {project_name} is a very loose implementation of the link:http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt[OAuth Token Exchange] specification at the IETF.
We have extended it a little, ignored some of it, and loosely interpreted other parts of the specification. It is
a simple grant type invocation on a realm's OpenID Connect token endpoint.
----
/realms/{realm}/protocol/openid-connect/token
----
It accepts form parameters (`application/x-www-form-urlencoded`) as input and the output depends on the type of token you requested an exchange for.
Token exchange is a client endpoint so requests must provide authentication information for the calling client.
Public clients specify their client identifier as a form parameter. Confidential clients can also use form parameters
to pass their client id and secret, Basic Auth, or however your admin has configured the client authentication flow in your
realm. Here's a list of form parameters
client_id::
_REQUIRED MAYBE._ This parameter is required for clients using form parameters for authentication. If you are using
Basic Auth, a client JWT token, or client cert authentication, then do not specify this parameter.
client_secret::
_REQUIRED MAYBE_. This parameter is required for clients using form parameters for authentication and using a client secret as a credential.
Do not specify this parameter if client invocations in your realm are authenticated by a different means.
grant_type::
_REQUIRED._ The value of the parameter must be `urn:ietf:params:oauth:grant-type:token-exchange`.
subject_token::
_OPTIONAL._ A security token that represents the identity of the party on behalf of whom the request is being made. It is required if you are exchanging an existing token for a new one.
subject_issuer::
_OPTIONAL._ Identifies the issuer of the `subject_token`. It can be left blank if the token comes from the current realm or if the issuer
can be determined from the `subject_token_type`. Otherwise it is required to be specified. Valid values are the alias of an `Identity Provider` configured for your realm. Or an issuer claim identifier
configured by a specific `Identity Provider`.
subject_token_type::
_OPTIONAL._ This parameter is the type of the token passed with the `subject_token` parameter. This defaults
to `urn:ietf:params:oauth:token-type:access_token` if the `subject_token` comes from the realm and is an access token.
If it is an external token, this parameter may or may not have to be specified depending on the requirements of the
`subject_issuer`.
requested_token_type::
_OPTIONAL._ This parameter represents the type of token the client wants to exchange for. Currently only oauth
and OpenID Connect token types are supported. The default value for this depends on whether the
is `urn:ietf:params:oauth:token-type:refresh_token` in which case you will be returned both an access token and refresh
token within the response. Other appropriate values are `urn:ietf:params:oauth:token-type:access_token` and `urn:ietf:params:oauth:token-type:id_token`
audience::
_OPTIONAL._ This parameter specifies the target client you want the new token minted for.
requested_issuer::
_OPTIONAL._ This parameter specifies that the client wants a token minted by an external provider. It must
be the alias of an `Identity Provider` configured within the realm.
requested_subject::
_OPTIONAL._ This specifies a username or user id if your client wants to impersonate a different user.
scope::
_NOT IMPLEMENTED._ This parameter represents the target set of OAuth and OpenID Connect scopes the client
is requesting. It is not implemented at this time but will be once {project_name} has better support for
NOTE: We currently only support OpenID Connect and OAuth exchanges. Support for SAML based clients and identity providers may be added in the future depending on user demand.
A successful response from an exchange invocation will return the HTTP 200 response code with a content type that
depends on the `requested-token-type` and `requested_issuer` the client asks for. OAuth requested token types will return
a JSON document as described in the link:http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt[OAuth Token Exchange] specification.
----
{
"access_token" : ".....",
"refresh_token" : ".....",
"expires_in" : "...."
}
----
Clients requesting a refresh token will get back both an access and refresh token in the response. Clients requesting only
access token type will only get an access token in the response. Expiration information may or may not be included for
clients requesting a an external issuer through the `requested_issuer`paramater.
Error responses generally fall under the 400 HTTP response code category, but other error status codes may be returned
depending on the severity of the error. Error responses may include content depending on the `requested_issuer`.
OAuth based exchanges may return a JSON document as follows:
----
{
"error" : "...."
"error_description" : "...."
}
----
Additional error claims may be returned depending on the exchange type. For example, OAuth Identity Providers may include
an additional `account-link-url` claim if the user does not have a link to an identity provider. This link can be used
for a client initiated link request.
NOTE: Token exchange setup requires knowledge of fine grain admin permissions (See the link:{adminguide_link}[{adminguide_name}] for more information). You will need to grant clients
You can exchange a realm token for an externl token minted by an external identity provider. This external identity provider
must be configured within the `Identity Provider` section of the admin console. Currently only OAuth/OpenID Connect based external
identity providers are supported, this includes all social providers. {project_name} does not perform a backchannel exchange to the external provider. So if the account
is not linked, you will not be able to get the external token. To be able to obtain an external token one of
these conditions must be met:
* The user must have logged in with the external identity provider at least once
* The user must have linked with the external identity provider through the User Account Service
* The user account was linked through the external identity provider using link:{developerguide_link}[Client Initiated Account Linking] API.
Finally, the external identity provider must have been configured to store tokens, or, one of the above actions must
have been performed with the same user session as the internal token you are exchanging.
If the account is not linked, the exchange response will contain a link you can use to establish it. This is
discussed more in the <<_internal_external_making_request, Making the Request>> section.
When granting clients permission to exchange, you don't necessarily have to manually enable those permissions for each and every client.
If the client has a service account associated with it, you can use a role to group permissions together and assign exchange permissions
by assigning a role to the client's service account. For example, you might define a `naked-exchange` role and any service account that has that
role can do a naked exchange.
=== Exchange Vulnerabilities
When you start allowing token exchanges, there's various things you have to both be aware of and careful of.
The first is public clients. Public clients do not have or require a client credential in order to perform an exchange. Anybody that has a valid
token will be able to __impersonate__ the public client and perform the exchanges that public client is allowed to perform. If there
are any untrustworthy clients that are managed by your realm, public clients may open up vulnerabilities in your permission models.
This is why direct naked exchanges do not allow public clients and will abort with an error if the calling client is public.
It is possible to exchange social tokens provided by Facebook, Google, etc. for a realm token. Be careful and vigilante on what
the exchange token is allowed to do as its not hard to create fake accounts on these social websites. Use default roles, groups, and identity provider mappers to control what attributes and roles
are assigned to the external social user.
Direct naked exchanges are quite dangerous. You are putting a lot of trust in the calling client that it will never leak out
its client credentials. If those credentials are leaked, then the thief can impersonate anybody in your system. This is in direct
contrast to confidential clients that have existing tokens. You have two factors of authentication, the access token and the client
credentials, and you're only dealing with one user. So use direct naked exchanges sparingly.