IdentityServer: Token Exchange

This custom Token Exchange Grant Flow allows IdentityServer to exchange a reference token through the creation of a new JWT token. There are many reasons why this may need to be done. The documentation on this process isn’t as clear and I thought it would help others if I shared what I learned and experienced.

We’ll also use POSTMAN to demonstrate these flows.

GitHub: identityserver-token-exchange

Reference Tokens

A reference token can be used for a higher level of security but this presents a challenge and can put a huge load on the IdentityServer because downstream microservices may use Token Introspection. Imagine, a user requests a Reference Token and that token has to hit the introspection endpoint for each microservice that it comes in contact with. This is where the problem exists… Another option is to use an aggregate microservice or incorporate this into an Azure APIM policy.

API: Token Introspection Code

A .NET API may use code that introspects the Reference Token. When the API receives the Reference Token it will post to the IdentityServer to get the claims associated with that token.

Token Exchange Code

This code will allow the creation of a custom Grant Flow that allows a Reference Token to go in and a JWT Token to come out.

Client Registration for Token Exchange Grant Flow

POSTMAN Token Exchange

Get Reference Token

Exchange for JWT Token

Another way to exchange this token would be to make a more direct post using raw format and include this as below.

Further Reading

https://docs.duendesoftware.com/identityserver/v5/tokens/extension_grants/token_exchange/
https://docs.duendesoftware.com/identityserver/v6/apis/aspnetcore/reference/