Token Exchange

Token exchange defines a standard way for a client to present one token to the authorization server and receive a different one in return. The request specifies the subject token being exchanged and, optionally, an actor token representing the service performing the exchange.

The mechanism supports two main patterns. In delegation, a service receives a token that records both the original user and the service acting on their behalf. In impersonation, the service receives a token that looks as if it came directly from the user, with no trace of the intermediary.

A frequent use is service-to-service calls in a microservice architecture. A front-end service holding a user’s access token can exchange it for a narrower token scoped to a specific downstream API, limiting how far the original token can travel.

For CIAM, token exchange enables backend services to act on a customer’s behalf without sharing or over-scoping the customer’s original token, supporting least-privilege access across an internal service mesh.

Sources

• IETF RFC 8693, OAuth 2.0 Token Exchange: https://datatracker.ietf.org/doc/html/rfc8693