Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Brian Campbell <> Fri, 28 July 2017 20:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 318D51318A0 for <>; Fri, 28 Jul 2017 13:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LqtNW2FY1art for <>; Fri, 28 Jul 2017 13:40:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A3B6D12EA7C for <>; Fri, 28 Jul 2017 13:40:10 -0700 (PDT)
Received: by with SMTP id e75so21472684pfj.2 for <>; Fri, 28 Jul 2017 13:40:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xr7UjMXz6m3Z5lRZ0VNCkJTSHrXeDMWT01BfzDhd58Y=; b=QG+uKdlq3Crl3B8ooROVDduWN469owG7QvASjDgAnoSl8FUGsbBJmmxcZhBPitN9il 8/5Ktc3Pnin3Wcvjwgy2JFxOMoU6fuxGVjMXfPdn7BrmzA96l0/0QWgM6buU6xArAfLB wtA0NkHTXdAuJRXxfp1xtVdvpP8uY1rqJELLc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xr7UjMXz6m3Z5lRZ0VNCkJTSHrXeDMWT01BfzDhd58Y=; b=QIBJqLCnaf2UyD/N7CTZRfBUd62VPi/e5tLL+V6AgjBDwltuYsAbuuWriGJPDjtjEG 4pw+EHmY1o3FvMm5Kpvwm6owImKN9xQHhg0xjAUp5vwlWeB4QoO9XjowWIe6+0zVp5sX 6x9PYKFedKeupkvLZSwoWbQeIDxsTLBCcR0a+I1o74a21WuykPFz28gxEZ4UC12NlrZ2 PwkoskTNVlKLJCwUPdITZrdMyYFxZO2fZ97CgFziYH5TSRUwC8p/vIDEj74LiTCzUqnk +kM81dkFlGAWg+GMnZDa2aNhhLddCD87HGWD/rww4tEnqm/k0qyFh2mGFE+pDRR2iDeK kWKg==
X-Gm-Message-State: AIVw113mBcCbVNvajSEnLgCcn7ispuoZr0JLUlkl2HHJLlcDoxPYMvp7 x3P8e5eBMwXAP22TTxtt72e2iB+NUnkYfIuHCTVO93EyoN7ZTSo3MLJfrqHHTbuyMdgd4xLqvk/ gyzll
X-Received: by with SMTP id j16mr8730266pfk.25.1501274410217; Fri, 28 Jul 2017 13:40:10 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 28 Jul 2017 13:39:39 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Brian Campbell <>
Date: Fri, 28 Jul 2017 14:39:39 -0600
Message-ID: <>
To: Bill Burke <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="94eb2c11d6e2ee8d27055566af8c"
Archived-At: <>
Subject: Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Jul 2017 20:40:13 -0000

In general, an instance of an AS/STS can only issue tokens from itself. The
audience/resource parameters tell the AS/STS where the requested token will
be used, which will influence the audience of the token (and maybe other
aspects). But the issuer of the requested token will be the AS/STS that
issued it. A cross domain exchange could happen by a client presenting a
subject_token from a different domain/issuer (that the AS/STS trusts) and
receiving a token issued by that AS/STS suitable for the target domain.

On Fri, Jul 28, 2017 at 9:06 AM, Bill Burke <> wrote:

> Should probably have a "subject_issuer" and "actor_issuer" as well as the
> "requested_issuer" too.
> FYI, I'm actually applying this spec to write a token exchange service to
> connect various product stacks that have different and often proprietary
> token formats and architectures.
> On 7/26/17 6:44 PM, Bill Burke wrote:
>> Hi all,
>> I'm looking at Draft 9 of the token-exchange spec.  How would one build a
>> request to:
>> * exchange a token issued by a different domain to a client managed by
>> the authorization server.
>> * exchange a token issued by the authorization server (the STS) for a
>> token of a different issuer and different client.  In other words, for a
>> token targeted to a specific client in a different authorization server or
>> realm or domain or whatever you want to call it.
>> * exchange a token issued by a different issuer for a token of a
>> different issuer and client.
>> Is the spec missing something like a "requested_issuer" identifier?
>> Seems that audience is too opaque of a parameter for the authz server to
>> determine how to exchange the token.
>> Thanks,
>> Bill
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*