TL;DR
Token Exchange lets you swap one OAuth 2 token for another without user interaction. This is useful when different services need to talk to each other securely, or when upgrading older tokens to newer formats. It improves security and simplifies how applications access protected resources.
What is Token Exchange?
Token Exchange (as defined in RFC 8693) is an OAuth 2 protocol extension that allows a client to request a new token from an authorization server by presenting another valid token.
Why use Token Exchange?
- Inter-Service Communication: Imagine you have a web app (Client A) and a mobile app (Client B). Client A needs data from an API protected by Client B’s authorization server. Instead of making users log in again, Client A can exchange its token for one that Client B trusts.
- Token Migration: You’re upgrading your OAuth 2 implementation to use a more secure token type (e.g., switching from JWT to opaque tokens). Token Exchange lets you seamlessly swap old tokens for new ones without disrupting users.
- Reduced Scope Exposure: Client A might only need limited access to resources protected by Client B. It can request a new token with a reduced set of scopes, minimizing the risk if its token is compromised.
- Simplified Architecture: Avoids complex trust relationships between clients and authorization servers. The exchange happens centrally through the authorization server.
How does it work?
Here’s a simplified breakdown of the Token Exchange process:
- Client Request: The client sends a request to the token endpoint, including the original token (
subject_token), the desired token type (requested_token_type) and other parameters likescope. - Authorization Server Validation: The authorization server validates the
subject_token. This includes checking its validity, issuer, audience, and expiration time. - Token Issuance: If validation succeeds, the authorization server issues a new token based on the request parameters.
- Client Receives New Token: The client receives the new token and can use it to access protected resources.
Example Request (simplified)
This example shows how a client might request a new token using the token endpoint:
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
subject_token=
requested_token_type=urn:ietf:params:oauth:token-type:access_token
scope=read:profile write:email
client_id=
client_secret= Key Parameters
grant_type: Must be set tourn:ietf:params:oauth:grant-type:token-exchange.subject_token: The token being exchanged.requested_token_type: The type of token requested (e.g.,urn:ietf:params:oauth:token-type:access_token,urn:ietf:params:oauth:token-type:refresh_token).scope: The desired scopes for the new token.client_id&client_secret: Credentials of the client making the request.
Security Considerations
- Token Validation: Thoroughly validate the
subject_tokento prevent unauthorized token exchange. - Audience Restriction: Ensure the authorization server correctly restricts the audience of the new token.
- Client Authentication: Properly authenticate the client making the request.
Token Exchange vs Refresh Tokens
While both involve obtaining new tokens, they serve different purposes:
- Refresh Tokens are used to obtain a new access token for the same client and user. They require long-term storage and careful handling.
- Token Exchange is designed for exchanging tokens between different clients or services, often without direct user involvement. It’s more suited for machine-to-machine communication.