openiddict-core
openiddict-core copied to clipboard
openiddict
Implement built-in delegation/impersonation support (RFC8693)
The OAuth 2.0 token exchange specification - originally known as "OAuth 2.0 Token Exchange: an STS for the REST of us" - was finally standardized last year.
Note: OpenIddict 3.0 already supports the requirements brought by this specification (like being able to set multiple audience or resource parameters, which was explicitly disallowed in the original OAuth 2.0 specification), as they were already part of ASOS 2.0 and OpenIddict 2.0.
RFC: https://tools.ietf.org/html/rfc8693
hi @kevinchalet, could you please explain how far this feature from completion and what is required to complete it? I most likely need this in my project soon, would be great if it supported out of the box in this awesome project
The work required to implement delegation support was supposed to be funded by a company but they changed their mind and opted for a different approach so it's no longer on top of the list.
@kevinchalet oh, I see. Could you tell, how much is it if our company decided to sponsor that, and what ETC would be then?
@mzros nothing planned in the short term. That said, the demand is growing so I may consider implementing it at some point (maybe as a paid/sponsors-only feature?)
@kevinchalet I'm adding this support to our local version, at least the delegated / composite token. If there's interest, I'm happy to PR this later on.
{
"iss": "https://localhost:7243/",
"exp": 1709912220,
"iat": 1709908620,
"jti": "bd5e0594-716e-43e2-b9e2-893970408a64",
"sub": "01HRF356DTZ1WFNR980P05B228",
"act": {
"sub": "console"
},
"oi_prst": "console",
"client_id": "console",
"oi_tkn_id": "e303d0dd-1519-4acf-b3f0-9e459e76f780"
}
@codymullins thanks for reaching out! A company offered to fund that: it's very recent and we're still discussing the details (e.g it's still unclear whether they want/need support in the client stack).
I'll let you know how it goes.