0Pricing
OAuth2 & OpenID Connect Deep Dive · Lesson

Token Exchange (RFC 8693)

Learn the OAuth2 Token Exchange extension that lets services swap one token for another to support delegation and impersonation across service boundaries.

What Problem Does It Solve?

In a microservices world, Service A receives a token from a user, then must call Service B on the user's behalf. Forwarding the original token everywhere is risky — it may have the wrong audience or too-broad scopes.

Token Exchange (RFC 8693) lets a service trade an incoming token for a new, narrower or differently-scoped token from the authorization server.

Delegation vs Impersonation

Two distinct patterns:

  • Impersonation — the new token looks like it belongs purely to the user; downstream cannot tell a middle service was involved.
  • Delegation — the new token records both the user and the acting service via an act claim, preserving the chain.

All lessons in this course

  1. PKCE for Public Clients
  2. Refresh Tokens & Scopes
  3. Resource Owner Password Credentials
  4. Token Exchange (RFC 8693)
← Back to OAuth2 & OpenID Connect Deep Dive