Should probably have a "subject_issuer" and "actor_issuer" as well as
the "requested_issuer" too.
FYI, I'm actually applying this spec to write a token exchange service
to connect various product stacks that have different and often
proprietary token formats and architectures.
On 7/26/17 6:44 PM, Bill Burke wrote:
Hi all,
I'm looking at Draft 9 of the token-exchange spec. How would one
build a request to:
* exchange a token issued by a different domain to a client managed by
the authorization server.
* exchange a token issued by the authorization server (the STS) for a
token of a different issuer and different client. In other words, for
a token targeted to a specific client in a different authorization
server or realm or domain or whatever you want to call it.
* exchange a token issued by a different issuer for a token of a
different issuer and client.
Is the spec missing something like a "requested_issuer" identifier?
Seems that audience is too opaque of a parameter for the authz server
to determine how to exchange the token.
Thanks,
Bill
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
