Konubinix' opinionated web of thoughts

OAuth 2.0 Token Exchange


OAuth 2.0 access token exchange.

This specification defines a protocol extending OAuth 2.0 that enables clients to request and obtain security tokens from authorization servers acting in the role of an STS


delegation vs impersonation

Delegation semantics are different than impersonation semantics, though the two are closely related. With delegation semantics, principal A still has its own identity separate from B, and it is explicitly understood that while B may have delegated some of its rights to A, any actions taken are being taken by A representing B. In a sense, A is an agent for B.


security token (oauth2)

Not to be confused with security token (blockchain).

A security token is a set of information that facilitates the sharing of identity and security information in heterogeneous environments or across security domains


Examples of security tokens include JSON Web Tokens (JWTs) [JWT] and Security Assertion Markup Language (SAML) 2.0 assertions


Security tokens are typically signed to achieve integrity and sometimes also encrypted to achieve confidentiality


Security Token Service (STS) is a service capable of validating security tokens provided to it and issuing new security tokens in response, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security domains.


Notes linking here