This project is no longer being actively maintained.

FARFETCH has decided to archive this project. As an alternative, you can find an example in Duende documentation.

We won't be accepting pull requests or responding to issues for this project anymore. Thank you for your understanding.

This framework extends Duende Identity Server capabilities by implementing support for Token Exchange following the specifications defined in the RFC 8693 - OAuth 2.0 Token Exchange.

Currently, only a partial implementation of the RFC is available with focus on the security token delegation:

• Token Exchange Delegation semantics;
• Supported request parameters: subject_token, actor_token, subject_token_type, actor_token_type;
  • subject_token_type and actor token types are limited to urn:ietf:params:oauth:token-type:access_token;

• Token Exchange Impersonation semantics;
• requested_token_type is not supported and therefore ignored
• may_act claim is not supported

• client_act claim: The prefix client_ is added to the act claim in the response when a delegation is performed and the subject token only contains client details and no subject. This prefix is only added if your IdentityServer is configured to add the prefix "client_" to the Client claim.

This framework consists of a nuget package designed to be installed and used together with an authentication server using Duende Identity Server.

• It requires an authentication server built with Duende Identity Server >= 6.0.0

For you to able to start using the Token Exchange framework, you first need to install packages in your project. You can do it via NuGet Package Manager via the interface or the console.

PM> Install-Package IdentityServer.Contrib.TokenExchange

The TokenExchange Framework provides a set of configurations that can be defined in the register of the framework. This configurations allows us to configure:

• ActorClaimsToInclude: Sets the claims that must be in the Actor token;
• ActorClaimsBlacklist: Sets a blacklist of claims that if they are found in the Actor Token the token will not be accepted;
• SubjectClaimsToExclude: Sets a list of claims that will be excluded from the resulting token of the exchange;

var tokenExchangeOptions = new TokenExchangeOptions
            {
                ActorClaimsToInclude = new List<string> { TokenExchangeConstants.ClaimTypes.TenantId },
                ActorClaimsBlacklist = new List<string> { JwtClaimTypes.Subject },
                SubjectClaimsToExclude = new List<string> { JwtClaimTypes.AuthenticationMethod }
            };
	...
	...

services.AddTokenExchange(tokenExchangeOptions);

To build a package of Token Exchange framework locally, you can use the following commands:

dotnet build
dotnet pack

After the execution of the commands above a new package will be created at src\IdentityServer.Contrib.TokenExchange\bin\Debug\IdentityServer.Contrib.TokenExchange.2.0.0.nupkg

How to run the automated tests:

dotnet test

• Dotnet Core
• Duende Identity Server

Describe the restrictions and Cautions around this project

• PII Compliance
• GDPR Compliance

See Changelog

Read the Contributing guidelines

By sending us your contributions, you are agreeing that your contribution is made subject to the terms of our Contributor Ownership Statement

List of Maintainers

MIT