Hi all,
I'm looking at Draft 9 of the token-exchange spec. How would one build
a request to:
* exchange a token issued by a different domain to a client managed by
the authorization server.
* exchange a token issued by the authorization server (the STS) for a
token of a different issuer and different client. In other words, for a
token targeted to a specific client in a different authorization server
or realm or domain or whatever you want to call it.
* exchange a token issued by a different issuer for a token of a
different issuer and client.
Is the spec missing something like a "requested_issuer" identifier?
Seems that audience is too opaque of a parameter for the authz server to
determine how to exchange the token.
Thanks,
Bill
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth