OAuth 2.0 Token Exchangefleeting
- External reference: https://datatracker.ietf.org/doc/html/rfc8693#section-4.2
- External reference: https://datatracker.ietf.org/doc/html/rfc8693
This specification defines a protocol extending OAuth 2.0 that enables clients to request and obtain security tokens from authorization servers acting in the role of an STS
delegation vs impersonation
Delegation semantics are different than impersonation semantics, though the two are closely related. With delegation semantics, principal A still has its own identity separate from B, and it is explicitly understood that while B may have delegated some of its rights to A, any actions taken are being taken by A representing B. In a sense, A is an agent for B.
security token (oauth2)
Not to be confused with security token (blockchain).
A security token is a set of information that facilitates the sharing of identity and security information in heterogeneous environments or across security domains
Examples of security tokens include JSON Web Tokens (JWTs) [JWT] and Security Assertion Markup Language (SAML) 2.0 assertions
Security tokens are typically signed to achieve integrity and sometimes also encrypted to achieve confidentiality
Security Token Service (STS) is a service capable of validating security tokens provided to it and issuing new security tokens in response, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security domains.