Hi all,

For the application I work on, Topicus KeyHub, we are investigating 'OAuth 2.0 
Token Exchange'. We want to use this protocol to exchange an access token for 
a SAML assertion for signing in to AWS (see below). However, I noticed that 
draft 16 has expired on April 22, 2019. Is this specification still active?

While looking at the specification I noticed a partial overlap with 'Resource 
Indicators for OAuth 2.0'. Both specify the 'resource' parameter on the token 
endpoint. However, Token Exchange adds to this the 'audience' parameter. In my 
opinion it would make sense to align these specs and add the 'audience' 
parameter to 'Resource Indicators'. 'Token Exchange' could then continue to 
build on the 'Resource Indicators' spec rather than redefining these 
parameters.


The specific use case I have in mind is acquiring a SAML assertion for AWS on 
the command line, using the following steps:

Our CLI starts with the device authorization grant. In the device+ 
authorization request, it passes 'audience=urn:amazon:webservices', which is 
the entity ID for AWS. I could use 'resource' here, but I think 'audience' is 
more appropriate.

Next, the user will continue the authentication and will be prompted for 
consent with signing a token for AWS. The resulting access token will be 
audience restricted to AWS.

Finally, the CLI will exchange this token for a SAML assertion for AWS. I can 
again pass the desired audience, but as it is already encoded in the token, 
this is optional. This assertion can then be passed to AWS to complete the 
sign-in.

To summarize, I have to following questions:
 - Is the 'OAuth 2.0 Token Exchange' specification still active?
 - Can 'audience' be added to 'Resource Indicators for OAuth 2.0'?
 - Can 'OAuth 2.0 Token Exchange' be updated to build on 'Resource Indicators 
for OAuth 2.0' rather than redefining the same parameters?

Best regards,
Emond Papegaaij
Topicus KeyHub


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to