Please review the token_exchange delegation flow implementation draft I have put together?

[arjunballa]

I am trying to understand the complete flow and I have put together a implementation draft.

Please forgive any silly mistakes.

Here’s the draft:

https://github.com/arjunballa/api-security/blob/main/token-exchange-delegation-flow.md

Thank you!

[nynymike]

Token exchange is being used a lot, for example for OAuth transaction tokens. See: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/

There is currently no Jans Auth interception script for token exchange that might enable you to implement this kind of behavior.

If the user were to go through a web flow which resulted in a code... couldn't the app which is accepting the delegation just get an id_token with the claims you need for authorization? Don't exchange the token... get the right token in the first place.

I would create an Agama Flow to build the web consent for delegation. The web Agama flow can be invoked backchannel via device flow if necessary. Once the user has consented, you can use the Update Token interception script to add in your extra information about the delegation.