-
|
We have a use case where a user authenticates over the Janssen server we provide but then the user needs to access resources protected by other authorisation servers using OAuth 2.0. We intend to use OAuth 2.0 Token Exchange (Rfc 8693) to exchange the access token provided by our Janssen server for an access token provided by theirs. The challenge we have now is that the Janssen access token is not a JWT token, so there is no way for the other server's token exchange endpoints to figure out who issued the token, which he needs to figure out how to verify the token and access user information (calling the userinfo endpoint). While at the beginning their would only be one Janssen server issuing access token, later there will be many, thus this information will not be statically known. Currently I have two suboptimal solutions in mind but wanted to ask if I miss something and there is a better approach? First, the other server queries each potential issuer he trusts until he finds the one accepting the token. This, of course, requires unnecessary requests. Second, we add an issuer to the request when exchanging tokens at the other server. This means we deviate from Rfc 8693 which does not define such a parameter. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Have you checked the client configuration? Jans Auth Server can return JWT access tokens. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, that solves it, my previous explorations of the documentation left me under the impression that only the introspection endpoint is capable of returning plain tokens. But now that I now that it is possible I should be able to figure out how to do it. |
Beta Was this translation helpful? Give feedback.
Have you checked the client configuration? Jans Auth Server can return JWT access tokens.