Token exchange
OAuth 2.0 Token Exchange is an extension to OAuth 2.0 that allows IBM Security Verify SaaS to act as a Security Token Service. This mechanism allows trusted services or clients to obtain and exchange tokens securely. Token exchange is particularly useful when a service or application needs to acquire a different type of token or a token with specific privileges to access to resource or perform an action. Learn about the concepts here if this is the first time you are exploring OAuth 2.0 Token Exchange or need a refresher.
You can explore this further with a few example guides.
Admin configuration
To use token exchange, you will need to minimally create an OAuth client instance either as an application or STS client. In addition, custom tokens can be defined. Before diving into the guides, the following sections will help you navigate the admin console.
Token types
At the heart of token exchange are the security token types that are used. Verify supports the following token types out-of-the-box:
urn:ietf:params:oauth:token-type:access_tokenis the identifier used for the access token issued by the Verify tenant.urn:ietf:params:oauth:token-type:refresh_tokenis the identifier used for the refresh token issued by the Verify tenant.urn:ietf:params:oauth:token-type:id_tokenis the identifier used for the OIDC ID token issued by the Verify tenant.urn:x-oath:params:oauth:token-type:device-secretis the identifier used for the actor token used in the Native App SSO flow.
In addition to this, Verify supports the creation of a custom JSON Web Token (JWT) type. This can be used to exchange third-party issued tokens for Verify tokens.
Application clients
You can enable the token exchange grant flow in an application using the OpenID Connect app connector. You can find this connector in the application catalog.
Applications provide more flexibility to choose different grant types and configure user entitlements for access control.
STS clients
If you need a simpler client that has requires no specific user entitlements and is only expected to use the OAuth 2.0 Token Exchange grant flow, you can create an STS client. For example, an API gateway or service that needs to exchange a token can use a STS client.
Guides
Several guides are available as sub-topics and you can view them at a glance here.
Impersonation
The impersonation mode for token exchange is described here.
| Name | Summary |
|---|---|
| Exchange external user token for access token | Exchange a third-party issued identity token (JWT) for a Verify tenant-issued access token. |
Vivek Shankar, IBM Security
Updated 4 months ago