OAuth 2.0 Token Exchange Grant Type (On-Behalf-Of flow)

sami · October 26, 2021, 9:16pm

Does Okta support the Token Exchange grant type?
The Token Exchange grant type is a draft protocol that allows one user to act on behalf of another.

For Example:
The following example demonstrates a hypothetical token exchange in
which an OAuth resource server assumes the role of the client during
the exchange. It trades an access token, which it received in a
protected resource request, for a new token, that it will use to call
to a backend service.

POST /as/token.oauth2 HTTP/1.1
Host: as.example.com
Authorization: Basic cnMwODpsb25nLXNlY3VyZS1yYW5kb20tc2VjcmV0
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&resource=https%3A%2F%2Fbackend.example.com%2Fapi
&subject_token=accVkjcJyb4BWCxGsndESCJQbdFMogUC5PbRDqceLTC
&subject_token_type=
urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token

Let me know if Okta is considering implementing this flow

References:

Cale · October 27, 2021, 12:54pm

Hello - the best answer I can give you right now is…soon. I said best, not great!

You can see on our public roadmap that the targeted early access release is the second half of this year:

https://support.okta.com/help/s/productroadmap?language=en_US

There’s nothing to suggest we aren’t on pace for this schedule, but we currently can’t provide a definitive date or timeline.

sami · October 27, 2021, 5:15pm

Thanks, Cale.
This is really helpful.
I am glad that Okta is considering implementing the Token Exchange grant type (On-Behalf-Of flow).

sami · January 14, 2022, 12:03am

@Cale any updates?

Just want to know the status of the Token Exchange grant type (On-Behalf-Of-flow)

andrea · January 18, 2022, 7:30pm

The only information we can share is the same details as in the Product Roadmap link Cale shared above. If you have further questions or concerns about this support, we recommend reaching out to your Okta Account Manager or, if you have one assigned, Customer Success Manager.

GenericUserName · March 31, 2022, 7:53pm

Hello. It would appear that this is in early access. Do I just need to request to opt into this program ?

andrea · April 1, 2022, 7:10pm

Please reach out to your Customer Success Manager or Account Manager to check the status of this so you can see when you can start using it.

system · April 2, 2022, 7:10pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.