OAuth 2.0 Token Exchange Grant Type (On-Behalf-Of flow)

Does Okta support the Token Exchange grant type?
The Token Exchange grant type is a draft protocol that allows one user to act on behalf of another.

For Example:
The following example demonstrates a hypothetical token exchange in
which an OAuth resource server assumes the role of the client during
the exchange. It trades an access token, which it received in a
protected resource request, for a new token, that it will use to call
to a backend service.

POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Authorization: Basic cnMwODpsb25nLXNlY3VyZS1yYW5kb20tc2VjcmV0
Content-Type: application/x-www-form-urlencoded

Let me know if Okta is considering implementing this flow


Hello - the best answer I can give you right now is…soon. I said best, not great!

You can see on our public roadmap that the targeted early access release is the second half of this year:


There’s nothing to suggest we aren’t on pace for this schedule, but we currently can’t provide a definitive date or timeline.

1 Like

Thanks, Cale.
This is really helpful.
I am glad that Okta is considering implementing the Token Exchange grant type (On-Behalf-Of flow).

@Cale any updates?

Just want to know the status of the Token Exchange grant type (On-Behalf-Of-flow)

The only information we can share is the same details as in the Product Roadmap link Cale shared above. If you have further questions or concerns about this support, we recommend reaching out to your Okta Account Manager or, if you have one assigned, Customer Success Manager.

Hello. It would appear that this is in early access. Do I just need to request to opt into this program ?

Please reach out to your Customer Success Manager or Account Manager to check the status of this so you can see when you can start using it.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.