feat(core): support access token exchange for service-to-service delegation #8124
+725
−111
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…delegation Add support for exchanging JWT access tokens as subject tokens in the token exchange grant. This enables service-to-service delegation where a service can exchange a user's JWT access token for a new token with different permissions. Key changes: - Add new subject_token_type: urn:ietf:params:oauth:token-type:jwt - Verify JWT tokens using the issuer's JWK set - JWT tokens are not consumption-tracked (can be reused multiple times) - Feature is guarded by isDevFeaturesEnabled flag
COMPARE TO
|
| Name | Diff |
|---|---|
| .changeset/kind-eels-march.md | 📈 +907 Bytes |
| packages/core/src/oidc/grants/token-exchange/account.ts | 📈 +4.24 KB |
| packages/core/src/oidc/grants/token-exchange/index.test.ts | 📈 +7.75 KB |
| packages/core/src/oidc/grants/token-exchange/index.ts | 📈 +167 Bytes |
| packages/core/src/oidc/grants/token-exchange/types.ts | 📈 +689 Bytes |
| packages/integration-tests/src/tests/api/oidc/token-exchange/access-token-exchange.test.ts | 📈 +6.32 KB |
| packages/integration-tests/src/tests/api/oidc/token-exchange/actor-token.test.ts | 📈 +5.6 KB |
| packages/integration-tests/src/tests/api/oidc/token-exchange/index.test.ts | 📈 +3.26 KB |
- Replace positional arguments with a single object parameter - Pass specific jwtVerificationOptions instead of entire envSet - Rename 'type' to 'subjectTokenType' for clarity
simeng-li
reviewed
Dec 30, 2025
- Use `urn:ietf:params:oauth:token-type:access_token` for both opaque and JWT tokens - Add `urn:logto:token-type:impersonation_token` for explicit impersonation token handling - Support backward compatibility: tokens starting with `sub_` are treated as impersonation tokens - Token validation order: legacy impersonation → opaque (via AccessToken.find) → JWT verification - Rename integration test file to reflect broader access token support
wangsijie
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements access token exchange for service-to-service delegation using the standard RFC 8693 token type.
Key Changes:
Use standard
urn:ietf:params:oauth:token-type:access_tokenfor receiving access tokens in token exchangeAccessToken.find()Add new
urn:logto:token-type:impersonation_tokenfor explicit impersonation token handlingsub_prefix are still supported for backward compatibilityToken validation order (for
access_tokentype):sub_prefix → treat as legacy impersonation token (backward compatibility)Access tokens are not consumption-tracked - the same token can be exchanged multiple times (e.g., by different services)
Feature is guarded by
isDevFeaturesEnabledflagFiles Changed:
ImpersonationTokentypeAccessTokenclass and JWT verification optionsTest plan
sub_prefixed tokens