Token Exchange does not support id_token token type

[banterCZ]

Spring Authorization Server supports the Exchange Token feature; introduced in #60

According to RFC 8693, the token type id_token is valid, but not supported by OAuth2TokenExchangeAuthenticationConverter, which accepts only jwt and access_token.

Moreover, the class is final without any extension points. Right now, the whole AuthenticationConverter has to be implemented.

The same situation is for OAuth2TokenExchangeAuthenticationProvider, that always issues an access token.

I already asked at StackOverflow, but it seems that it is more of a feature request than just a question.

[jgrandja]

@banterCZ Please note that the initial implementation of OAuth 2.0 Token Exchange was intentionally implemented with minimal capability, hence the reason why id_token is not currently supported. Our goal for the initial implementation was to implement the use cases defined in Appendix A. Additional Token Exchange Examples.

Unfortunately, there were no examples provided for id_token and it wasn't clear to us how this would be used in the wild.

Our plan is to expand the support as we discover real-world use cases from our users.

We're open to enhancements, but we first need to understand the use case. Can you please provide details on your use case and the reason why you would need to exchange an id_token?

[banterCZ]

The main idea was to exchange a long-lived id_token for another id_token of limited scope. Adding @zcgandcomp too the loop.

[jgrandja]

@banterCZ

The main idea was to exchange a long-lived id_token for another id_token of limited scope

I'll need more detail as this doesn't appear to be a valid use case at this point.

FYI, if you need a shorter-lived id_token then you can override the default 30 mins as mentioned in this comment.

... for another id_token of limited scope

What do you mean by limited scope? Please provide specific details for your use case.

[chenzhenjia]

This is the issue I submitted, but it was closed.
#1866

[jgrandja]

@chenzhenjia I don't see how gh-1866 is related to this issue? The UserInfo endpoint accepts an access token NOT an ID Token. This issue is specific to exchanging an ID Token. If you have further comments, please comment in gh-1866.

[zcgandcomp]

Hello @jgrandja ,

The scenario for the Token Exchange of id_token is as follows:

• A user initiates standard login flow, e.g., via Code Authorization, and uses scope openid and profile.
• After the flow, the user has an id_token with long validity (days) containing standard claims for profile scope.
• The client wants to send an id_token to another system, let's say, for a newsletter subscription. But not with all claims but only with the email claim.
• The client invokes the token exchange, with the requested scope email and receives exchanged id_token with reduced claims.

[jgrandja]

@zcgandcomp Thanks for the details.

The client wants to send an id_token to another system, let's say, for a newsletter subscription.

This does not appear to be a valid use case as clients are not intended to send ID tokens to a Resource Server (newsletter subscription service). I'm curious, why are you sending an ID Token instead of an access token to the resource server? Why can't you send an (exchanged) access token with limited scope?