subject_ token
Registry Context
The token exchange request parameter that carries the security token for the party on whose behalf the request is being made.
Technical Summary
A REQUIRED OAuth 2.0 Token Exchange request parameter containing a security token that represents the identity of the party on whose behalf the exchange request is made.
When Used
Used in OAuth 2.0 token exchange requests to present the subject token being exchanged.
Normative Requirements
Clients
RFC 8693 - Section 2.1
include the subject_token parameter in the token exchange request.
Condition: when making an OAuth 2.0 token exchange request
subject_token REQUIRED.
RFC 8693 - Section 2.1
include the subject_token_type parameter indicating the type of the security token in the subject_token parameter.
Condition: when making an OAuth 2.0 token exchange request
subject_token_type REQUIRED.
Authorization servers
RFC 8693 - Section 2.1
perform the appropriate validation procedures for the indicated token type.
Condition: when processing the token exchange request
the authorization server MUST perform the appropriate validation procedures for the indicated token type
Validation Guidance
Reject token exchange requests that omit subject_token.
Reject token exchange requests that omit subject_token_type.
Validate the subject token according to the token type indicated by subject_token_type during request processing.
Security Notes
RFC 8693 - Section 2.1
The section warns that omitting client authentication can allow anyone possessing a compromised token to leverage it through an STS into other tokens; client authentication enables additional authorization checks for impersonation or delegation.
Reference
Details
- Entry Id
subject_token - Name
subject_token - Parameter Usage Location
token request- Change Controller
IESG- Reference
RFC8693 - Section 2.1