Nikos Sklikas

This PR has several problems: - As @c00kiemon5ter pointed this uses the eidas RequestedAttributes extention and not the SAML2 extention (http://docs.oasis-open.org/security/saml-protoc-req-attr-req/v1.0/saml-protoc-req-attr-req-v1.0.html). So perhaps it should be moved to the eidas...

I have worked the aforementioned problems, here are a couple of notes on the changes: - The operator will have to provide the attributes he wants to be requested, i.e.:...

The way I see it a token exchange request is an exchange between a token with a set of token_type/scope/resource/audience to a different token with another set of token_type/scope/resource/audience. The...

> it depends by STS policy. I'm quite reluctant to share a token between two clients. I'd see token exchange like a way that a Client has to obtain a...

@peppelinux something went wrong and you edited my comment instead of writing an answer. I will paste it here for now: > Yes, I seen the british ehalthy system that...

> Do you think to give the access token to the user-agent and have it submitted by the user? No but issuing a refresh token requires the user 's consent,...

Ok, I'm blind. Thanks. With: > expose a STS endpoint that validate the access_token issued by ISS1 and exchange it with an access_token issued by itself You mean that the...

So it will be ```json { "token": { "path": "token", "class": "oidcop.oidc.token.Token", "kwargs": { "token_exchange": { "subject_token_types_supported": [] # A list of supported subject_token_types, if not defined then all token_types...

Run darker on this. Other than this LGTM. @rohe @peppelinux what do you think?

We merged this in our private fork, here are some things that need to be done: - Check that the new scopes are a subset of the allowed scopes for...