A custom Token Procedure plugin for the Curity Identity Server. The plugin uses the Token Exchange (RFC 8693) flow to exchange an external IdP issued token (JWT) for downscoping.
You can build the plugin by issuing the command mvn package. This will produce a set of JAR files in the target/external-idp-token-exchange directory,
which can be installed.
To install the plugin, copy the compiled JAR files into the ${IDSVR_HOME}/usr/share/plugins/external-idp-token-exchange
on each node, including the admin node. For more information about installing plugins, refer to the curity.io/plugins.
Instructions for adding the plugin to a custom built docker container can be found in the [Plugins section](https://curity.io/resources/learn/customizing-the-curity-docker-container/#plugins) of the Docker Container Customization article.
The plugin needs to be configured and assigned.
- Configure an
HttpClientand assign it to the Token procedure. - Set the
Metadata URLfor the external IdP. This is used by the Token Proecure to obtain the JWKS URI as well as the issuer used to validate the provided JWT. - Set a
Clock Skewas needed.
More details for Token Procedure Plugin can be found in the Documentation. This plugin should be assigned to the Token OAuth Token Exchange flow on an oauth-token endpoint.
The plugin is used by sending a token exchange request to the oauth-token endpoint. An example can look like:
curl -Ss -X POST \ https://localhost:8443/oauth/v2/oauth-token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ -d 'client_id=token-exchange' \ -d 'client_secret=Pa$$w0rd1!' \ -d 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \ -d 'subject_token=eyJraWQiOiJ2b01SRDNLbU...TZ9Hstg' \ -d 'scope=foo bar'
Please visit curity.io for more information about the Curity Identity Server.