OAuth 2.0 Token Exchange Grant Type (On-Behalf-Of flow)

Does Okta support the Token Exchange grant type?
The Token Exchange grant type is a draft protocol that allows one user to act on behalf of another.

For Example:
The following example demonstrates a hypothetical token exchange in
which an OAuth resource server assumes the role of the client during
the exchange. It trades an access token, which it received in a
protected resource request, for a new token, that it will use to call
to a backend service.

POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Authorization: Basic cnMwODpsb25nLXNlY3VyZS1yYW5kb20tc2VjcmV0
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&resource=https%3A%2F%2Fbackend.example.com%2Fapi
&subject_token=accVkjcJyb4BWCxGsndESCJQbdFMogUC5PbRDqceLTC
&subject_token_type=
urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token

Let me know if Okta is considering implementing this flow

References:
https://datatracker.ietf.org/doc/html/rfc8693

Hello - the best answer I can give you right now is…soon. I said best, not great!

You can see on our public roadmap that the targeted early access release is the second half of this year:

https://support.okta.com/help/s/productroadmap?language=en_US

There’s nothing to suggest we aren’t on pace for this schedule, but we currently can’t provide a definitive date or timeline.

1 Like

Thanks, Cale.
This is really helpful.
I am glad that Okta is considering implementing the Token Exchange grant type (On-Behalf-Of flow).