Add OAuth 2.0 Token Exchange (RFC 8693) to the supported OAuth flows#5428
Add OAuth 2.0 Token Exchange (RFC 8693) to the supported OAuth flows#5428cayetanobv wants to merge 1 commit into
Conversation
Adds a tokenExchange fixed field to the OAuth Flows Object, mirroring the deviceAuthorization pattern: tokenUrl required, scopes as for all flows. Includes the validation schema addition and test fixtures. Refs discussion OAI#4807.
…catalogs Repurposes this proposal after the upstream agreement: the vending step is standardized upstream (OAI/OpenAPI-Specification#5428 mirrored by stac-extensions/authentication#44), so Portolan adopts the Authentication extension wholesale instead of owning an access: namespace. - spec/extensions/authentication.md: profile note — two-step gated read (openIdConnect identity + oauth2/tokenExchange vending), fields used, client algorithm, chaining convention (pending upstream), validation rules, security considerations. - spec/examples/authentication-collection.json: gated collection with two schemes and two gated assets (GeoParquet + Iceberg metadata) on one exchange; validates against the v1.1.0 schema. - access: extension files removed (shape preserved in history as the recorded fallback).
|
@cayetanobv We will definitely look at this for 3.3, but there are two major things in flight that will need to settle first (just so you understand we're not ignoring you):
Things move rather slowly during the summer so it might be a while before we get to this, but we will respond once these other things are more clear. |
|
I converted this to a draft just to keep it out of our active todo list for now. We will revisit all open security concerns once the other things settle. |
|
Thanks @handrews, I'm glad to see the progress you're planning on security. I'd be happy to contribute to the new repository if you need any help. While you decide how to proceed with the outstanding security tasks in OpenAPI, we'll continue our authentication work on the STAC Authentication Extension and the Portolan project: |
This adds a
tokenExchangeflow to the OAuth Flows Object, as suggested by @ralfhandl in discussion #4807: a new fixed fieldtokenExchange, withtokenUrlrequired andscopesbehaving as for all other flows. It follows the pattern thedeviceAuthorizationflow established in 3.2.0, including the validation schema addition and test fixtures (schema tests pass, 99/99).Motivation: RFC 8693 token exchange is widely deployed (cloud STS endpoints, credential vending in data platforms), but until now there was no way to describe such an endpoint in an OpenAPI document — clients always knew it out of band (SDKs, hardcoded config). The concrete need driving this: geospatial data catalogs (STAC), where generic clients discover APIs at runtime from description documents and need to know where to exchange an identity token for scoped storage credentials. The STAC Authentication extension (which follows OpenAPI's security schemes) plans to mirror this flow once it is drafted here — see the discussion with a STAC Authentication maintainer in portolan-sdi/portolan-cli#551.
Deliberately minimal: no description fields for
subject_token/requested_token_typeetc. — those are runtime request parameters defined by the RFC, not description-level configuration, mirroring how the device flow's spec text doesn't describedevice_code.Remark: Per the project AI policy, AI tooling was used for research and drafting; I reviewed and take responsibility for all content.
Thanks!
Cayetano Benavent.