Maybe this is outside the scope of the Access Token Management project, but is there any plans to handle token exchanges?

Scenario: BFF has a reverse proxy:

• "localhost/api/users" => "remote/api/users"
• "localhost/api/charts" => "remote/api/charts"

The first API requires user_read, the second requires "charts_read", but the App doesn't allow that scope to be directly requested, it needs to have a delegated exchange prior to calling that API.

This is trying to mesh together your https://docs.duendesoftware.com/identityserver/v5/tokens/extension_grants/token_exchange/
with the reverse proxy, where normally i'd have to do this exchange myself prior to making the API call in the controllers, would be amazing if this was somehow handled in the token management library too.

Is there plans to support such a situation? Like on the Mapping of the APIs, asking for scopes, and if they don't match, attempt an exchange for the new scope?

In the situation above, the APIs probably were previously behind a unified local API for example. Which would have had it's own Client/Secret combo doing exchanges, but the BFF library is super slick in making it not necessary to have that extra layer, but you miss out on token exchange opportunities unless you keep it.

Food for thought.

Thanks!

We do not have plans for that. Maybe we could add some extensibility to enable such scenarios. Let me know if you have an idea where this could happen (ideally as a PR)

I think token exchange is out of scope for this project

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.