Skip to content

boost-backend — Token exchange via RFC 8693 per-user identity delegation (issue 13 of 15) #3309

Open
Open
boost-backend — Token exchange via RFC 8693 per-user identity delegation (issue 13 of 15)#3309
Labels
ai-integrationsblockedenhancementNew feature or requestsecurity
@gabemontero

Description

@gabemontero
gabemontero
opened on Jun 4, 2026

Labels: ready-to-code
Depends on: Issue 11

Implement TokenExchangeManager for per-user Kagenti identity delegation via RFC 8693 OAuth2 Token Exchange, with graceful fallback to service-account token on all failures.

Tasks

From openspec/changes/security-safety-governance/tasks.md section 7:

  • 7.1 Create TokenExchangeManager implementing RFC 8693
  • 7.2 Add per-user token caching with TTL from token expiry
  • 7.3 Add concurrent exchange deduplication
  • 7.4 Add graceful fallback to service-account token
  • 7.5 Add config schema: boost.kagenti.auth.tokenExchange.*
  • 7.6 Integrate into KagentiApiClient.requestCore()
  • 7.7 Extract user OIDC token from configurable request header

Specifications

  • openspec/changes/security-safety-governance/specs/access-control/spec.md — Token exchange scenarios
  • openspec/changes/security-safety-governance/design.md — Decision 4 (backend-only with graceful fallback)

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-integrationsblockedenhancementNew feature or requestsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions