Hi all, For the application I work on, Topicus KeyHub, we are investigating 'OAuth 2.0 Token Exchange'. We want to use this protocol to exchange an access token for a SAML assertion for signing in to AWS (see below). However, I noticed that draft 16 has expired on April 22, 2019. Is this specification still active?
While looking at the specification I noticed a partial overlap with 'Resource Indicators for OAuth 2.0'. Both specify the 'resource' parameter on the token endpoint. However, Token Exchange adds to this the 'audience' parameter. In my opinion it would make sense to align these specs and add the 'audience' parameter to 'Resource Indicators'. 'Token Exchange' could then continue to build on the 'Resource Indicators' spec rather than redefining these parameters. The specific use case I have in mind is acquiring a SAML assertion for AWS on the command line, using the following steps: Our CLI starts with the device authorization grant. In the device+ authorization request, it passes 'audience=urn:amazon:webservices', which is the entity ID for AWS. I could use 'resource' here, but I think 'audience' is more appropriate. Next, the user will continue the authentication and will be prompted for consent with signing a token for AWS. The resulting access token will be audience restricted to AWS. Finally, the CLI will exchange this token for a SAML assertion for AWS. I can again pass the desired audience, but as it is already encoded in the token, this is optional. This assertion can then be passed to AWS to complete the sign-in. To summarize, I have to following questions: - Is the 'OAuth 2.0 Token Exchange' specification still active? - Can 'audience' be added to 'Resource Indicators for OAuth 2.0'? - Can 'OAuth 2.0 Token Exchange' be updated to build on 'Resource Indicators for OAuth 2.0' rather than redefining the same parameters? Best regards, Emond Papegaaij Topicus KeyHub _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
