Token Exchange does not support id_token token type

[banterCZ]

Spring Authorization Server supports the Exchange Token feature; introduced in #60

According to RFC 8693, the token type id_token is valid, but not supported by OAuth2TokenExchangeAuthenticationConverter, which accepts only jwt and access_token.

Moreover, the class is final without any extension points. Right now, the whole AuthenticationConverter has to be implemented.

The same situation is for OAuth2TokenExchangeAuthenticationProvider, that always issues an access token.

I already asked at StackOverflow, but it seems that it is more of a feature request than just a question.

[jgrandja]

@banterCZ Please note that the initial implementation of OAuth 2.0 Token Exchange was intentionally implemented with minimal capability, hence the reason why id_token is not currently supported. Our goal for the initial implementation was to implement the use cases defined in Appendix A. Additional Token Exchange Examples.

Unfortunately, there were no examples provided for id_token and it wasn't clear to us how this would be used in the wild.

Our plan is to expand the support as we discover real-world use cases from our users.

We're open to enhancements, but we first need to understand the use case. Can you please provide details on your use case and the reason why you would need to exchange an id_token?

[banterCZ]

The main idea was to exchange a long-lived id_token for another id_token of limited scope. Adding @zcgandcomp too the loop.

[jgrandja]

@banterCZ

The main idea was to exchange a long-lived id_token for another id_token of limited scope

I'll need more detail as this doesn't appear to be a valid use case at this point.

FYI, if you need a shorter-lived id_token then you can override the default 30 mins as mentioned in this comment.

... for another id_token of limited scope

What do you mean by limited scope? Please provide specific details for your use case.

[itanxiao]

This is the issue I submitted, but it was closed.
#1866

[jgrandja]

@chenzhenjia I don't see how gh-1866 is related to this issue? The UserInfo endpoint accepts an access token NOT an ID Token. This issue is specific to exchanging an ID Token. If you have further comments, please comment in gh-1866.