Token Exchange with 2 Authorization Servers

I have created two custom authorization servers. I request a token using the react-native sdk with an openid scope. I then use the access token from here and attempt to exhange that token for an access token from my second auth server. I am trying to add an access policy that should prevent a user from receiving an access token if they are not a member of a particular group, but i am receiving the token every time. It doesnt seem to evaluate claims properly, either. Is this a limitation, or am I doing something wrong? Everything else is working as it ahould be, and i receive a token for the correct expiration, i just shouldnt always be receiving it based on my user’s groups. Any help is appreciated.


Are you using the On-Behalf-Of token exchange flow?

This is intended to be used by service applications and evaluations that usually happening during the authorize call won’t happen.

Trying to setup claims based off of the user context will not work as well.

You might add a request to to look into extending this flow.

*If adding additional claims is needed, a token inline hook can be used. Additional claims could be added as needed.

Thank You,

1 Like