From bc72e53987ff66677f5f51ae644e66e0df8660e5 Mon Sep 17 00:00:00 2001 From: strehle Date: Mon, 2 Dec 2024 12:31:28 +0100 Subject: [PATCH] Add documentation --- token-exchange-doc.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 token-exchange-doc.md diff --git a/token-exchange-doc.md b/token-exchange-doc.md new file mode 100644 index 0000000..e1f756e --- /dev/null +++ b/token-exchange-doc.md @@ -0,0 +1,33 @@ +# Token-Exchanges in OAuth2/OIDC + +The standards are + +* JWT Bearer for authorization grants, e.g. [RFC7523, section 2.1](https://www.rfc-editor.org/info/rfc7523) +* Token Exchange, a generic standard according [RFC8693](https://www.rfc-editor.org/info/rfc8693) + +The JWT bearer flow is mainly used to provide principal propagation for ID-Tokens from an external system and +from one application to another. + +The generic token-exchange grant type is supporting more types of incoming and outgoing token types. They are +defined with subject_token_type and requested_token_type. + +The API for token-exchange is documented in +https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-client-to-call-identity-authentication-token-exchange + +New parameters combined with documentation: + +* assertion -> subject_token +* subject_type -> subject_token_type ( only last part needed, access_token, id_token, refresh_token, jwt) +* requested_type -> requested_token_type ( only last part needed, access_token, id_token, saml2) +* provider_name -> resource parameter with provider name from https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications + +Example: + +`openid-client -issuer https:// -client_secret -client_id -requested_type saml2 -provider_name -login_hint ` + +With this call you get a browser windows opened, then + +1. Login (if corp.IdP is enabled, login to corp.IdP) +2. IAS id-token created +3. SAML Bearer token is returned +