Technical Summary:
This specification defines a protocol for an HTTP- and JSON- based Security Token
Service (STS) by defining how to request and obtain security tokens from OAuth 2.0
authorization servers, including security tokens employing impersonation and delegation.
The specification extends the scope of the Authorization Server (AS) to act as an STS to
allow the AS to exchange one token for another. The working group thinks that this is a
useful Standards Track document.
Working Group Summary:
The WG document is the result of the merge of two individual documents that tried to
address this issue of token exchange: draft-jones-oauth-token-exchange and draft-
campbell-oauth-sts.
The scope of the first few revisions of the document was limited, and there was a long
discussion of addressing a Token Chaining use case:
https://mailarchive.ietf.org/arch/msg/oauth/pQRiMz0NjwcAG9Jazm8Aex40UX8/?qid=e6b492516cfa24bebbf8996009413d62
The WG document was extended to address the Token Chaining use case.
The individual and WG documents were reviewed by a large number of participants, with
lively and long discussions on the mailing list and during the WG meetings.
One participant, Denis (denis.ietf@free.fr), raised some privacy & security concerns with
the WG document, which was not shared by the rest of the group. Denis was encouraged
by the group to write a draft on the subject to allow for a better and clear understanding
of his concerns, or discuss the security issues in the context of the OAuth Security Topics
document.
Document Quality:
The document has been implemented by Salesforce, Microsoft, Box, Indigo IAM, Unity
IdM, and partial implementation by RedHat.
https://medium.com/box-developer-blog/introducing-token-exchange-for-box-platform-3dcf7ab891b8https://indigo-dc.gitbooks.io/iam/content/doc/user-guide/oauth_token_exchange.htmlhttp://www.unity-idm.eu/documentation/unity-2.1.0/manual.html#_token_exchangehttp://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
Personnel:
The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Roman Danyliw.