Enhance OAuth2TokenExchangeAuthenticationProvider to support additional trusted issuers

[joshuawhite929]

Expected Behavior
OAuth2TokenExchangeAuthenticationProvider should be enhanced to support subject/actor tokens from other trusted issuers

Current Behavior
Today, OAuth2TokenExchangeAuthenticationProvider validates/authorizes the subject/actor token by looking for the JWT in the configured OAuth2AuthorizationService. Additional trusted issuers are not supported in the current implementation.

Context
The current OAuth2TokenExchangeAuthenticationProvider constrains token exchange process to a single IDP. I believe the spirit of RFC 8693 is to also enable token exchange across security domains.

If this is something that the team is willing to support, I have a working example of how OAuth2TokenExchangeAuthenticationProvider could be modified to support this need.

CC: @sjohnr , @jgrandja

[sjohnr]

@joshuawhite929

The current OAuth2TokenExchangeAuthenticationProvider constrains token exchange process to a single IDP. I believe the spirit of RFC 8693 is to also enable token exchange across security domains.

Can you please say more about why you feel the current provider constrains token exchange? Have you explored adding additional parameters to the request? What would be needed that isn't currently possible to support multiple IdPs?

[sjohnr]

Apologies @joshuawhite929 if my above response is confusing, I was thinking about this from the Spring Security (client) side. Please feel free to share any supporting information or an example you are thinking about for supporting multiple IdPs on the server side. However, please consider that the initial implementation was intentionally limited to a single IdP so we could have more conversation prior to targeting more advanced features such as this one.

[joshuawhite929]

I am definitely interested in the server side piece of this. I am currently on vacation and will be back with more detailed comments on Friday.

[joshuawhite929]

My companies OSS process is taking longer than I anticipated. Would you prefer to wait or close this issue and have me open another when ready?

[sjohnr]

Hi @joshuawhite929.

Would you prefer to wait or close this issue and have me open another when ready?

That depends I suppose. You wouldn't need to provide anything specific to your internal environment, I am just looking for some details on a use case at a high (e.g. abstract) level. In the opening comment you mention:

Additional trusted issuers are not supported in the current implementation.

If you can add more clarity around the details of what you're requesting here (a specific use case), that would be helpful since I'm not sure I have enough information from that statement to determine what enhancement would be targeted by this issue. If you feel you're unable to provide additional details at the moment, then I think we should close this ticket for now as I feel it is not actionable. Does that make sense?