25Ara
Benefits of Token Exchange protocol in OAuth 2
Beginner question here, I don't seem to be able to wrap my head around the security benefits of the token exchange protocol as specified by RFC8693. To me it seems like a delegation pattern where a webservice (service A) impersonates the authenticated user when accessing another webservice (service B). It does so by swapping the authenticated user token (public token) for a different token (internal token) issued to Service A while retaining the identity of the authenticated user.
Seems to me that the only benefits here are
- The internal token may contain claims and scopes required for Service B to perform its functionaly, which are not included in the public token.
- Service B can be isolated and therefore safe from random attacks
- Service B does not need to authenticate the user since it only deals with requests coming from Service A
But it doesn't really protect from playback attacks since if you gain access to the public token, then you have access to the internal token by proxy, unless I'm missing something?
