OAuth 2.0

Token Exchange — Impersonation

Demonstrating RFC 8693 Token Exchange for impersonation. An admin with a 'may_act' privilege exchanges their token for a clean token belonging to a target user.

RFC 8693

POST https://auth.example.com/token200

An administrator ('charlie') wants to impersonate a user ('bob') to troubleshoot an issue. Charlie sends a Token Exchange request to the Authz Server. The request includes Charlie's token as the 'actor_token', and specifies 'bob' as the 'subject_token'.

• In impersonation, the 'subject_token' does not have to be an actual token; it can be an identifier (like a username) if the Authz Server supports it.

• Charlie's 'actor_token' contains a 'may_act' claim. The Authz Server verifies this claim to ensure Charlie actually has permission to impersonate Bob.

• Unlike delegation, the newly issued token has NO 'act' claim. It is indistinguishable from a token Bob acquired himself.

1 / 2

speed

Step 1: POST /token (Exchange)

Request / response

POSThttps://auth.example.com/token

Content-Type?

application/x-www-form-urlencoded

Body

grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=bob&subject_token_type=urn:ietf:params:oauth:token-type:jwt&actor_token=eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJIUzI1NiJ9...&actor_token_type=urn:ietf:params:oauth:token-type:access_token&audience=api

Actor Token (Admin's Token)at+jwt

Header

{"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"at+jwt",
"alg":"HS256"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://auth.example.com",
"sub"?Subject — who or what the token is about:"admin_charlie",
"aud"?Audience — which party should accept this token:"admin_portal",
"exp"?Expiration — Unix timestamp after which the token is invalid:1562266216,
"iat"?Issued At — Unix timestamp when the token was created:1562262616,
"may_act":{"sub"?Subject — who or what the token is about:"bob"
}
}

sig: mock_sig_admin…

Impersonated Tokenat+jwt

Header

{"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"at+jwt",
"alg":"HS256"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://auth.example.com",
"sub"?Subject — who or what the token is about:"bob",
"aud"?Audience — which party should accept this token:"api",
"exp"?Expiration — Unix timestamp after which the token is invalid:1562266216,
"iat"?Issued At — Unix timestamp when the token was created:1562262616
}

sig: mock_sig_impersonated…