Implement Impersonation and Delegation Tokens (RFC8693)

[awoodobvio]

Implement Impersonation and Delegation Tokens (RFC8693)

https://fusionauth.io/docs/v1/tech/apis/jwt/#issue-a-jwt

Problem

FusionAuth does not support the RFC method of exchanging one OAuth 2.0 token for another for impersonation or delegation tokens. These are designed to support the use case of "Service A is calling Service B" either "as user A" (impersonation) or "as ServiceA on behalf of User A" (delegation).

This is a common need in a microservice architecture where each application may be its own OAuth application but systems want to call each other passing along the information.

Solution

Both of these cases are covered in RFC8693.

Alternatives/workarounds

Today, one can call the FusionAuth specific Issue JWT endpoint for the impersonation case, but I'm not aware of a direct solution for delegation without rolling it out with a custom JWT via the Vend a JWT endpoint.

Other alternatives:

• Not require token swapping and to consolidate all services under a single application. (Impersonation, no delegation)
• Change the JWT lambda to alter the "aud" claim so that all JWT tokens are for the same "audience" therefore not requiring token swaps (Impersonation, no delegation)
• Pass two separate JWT tokens in different headers to support delegation (Service A's token, User A's token).

Additional context

n/a

Related

• Feature Request: User Impersonation #830
• [Category] OpenID Connect #2324

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[awoodobvio]

Original issue: #830