Token Exchange Implementation

There is a sample token exchange mapping rule that is provided in Federation > OIDC > Mapping Rules.

Currently, the out-of-the-box support for token exchange grant type is based on JSON Web Token (JWT), although this can be extended for other token types. Implementation is done by using a combination of Javascript and STS Chains. See STS Chains.

  • doTokenExchangePre(useSTSforTokenGenerate, store_db)
  • doTokenExchangePost()
These two functions are wrapped in the oauth_20_token_exchange.js which can be imported and called within other mapping rules. For example:
importMappingRule("Oauth_20_TokenExchange_PreMapping");   // import the mapping rule
	/*
	 * Config option to generate the token from this pre mapping rule.
	 * ISVA will issue a regular access token if the varialbe set to false.
	 * If set to true, STS chain will be called to generate the token.
	 */
	var useSTSforTokenGenerate = false;

	/*
	 * Config option to stored the token which generated through this mapping rule to DB. This should be set
	 * to true if need to store the token into the oauth20_token_cache and set to flase if not.
	 * This variable is ignored if not using the STS to generate the token.
	 */
	var store_db = false;
doTokenExchangePre(useSTSforTokenGenerate, store_db); // call the mapping rule
To implement the token exchange, see the following steps:
  1. Validation of the incoming tokens
  2. Extraction of information
  3. Gathering information for new (requested) token
  4. Issuing of the new (requested) token