oauth2.dev

subject_token

IESG

Registry Context

The token exchange request parameter that carries the security token for the party on whose behalf the request is being made.

Technical Summary

A REQUIRED OAuth 2.0 Token Exchange request parameter containing a security token that represents the identity of the party on whose behalf the exchange request is made.

When Used

Used in OAuth 2.0 token exchange requests to present the subject token being exchanged.

Normative Requirements

Clients

REQUIRED
2
  1. RFC 8693 - Section 2.1

    include the subject_token parameter in the token exchange request.

    Condition: when making an OAuth 2.0 token exchange request

    subject_token REQUIRED.

  2. RFC 8693 - Section 2.1

    include the subject_token_type parameter indicating the type of the security token in the subject_token parameter.

    Condition: when making an OAuth 2.0 token exchange request

    subject_token_type REQUIRED.

Authorization servers

MUST
1
  1. RFC 8693 - Section 2.1

    perform the appropriate validation procedures for the indicated token type.

    Condition: when processing the token exchange request

    the authorization server MUST perform the appropriate validation procedures for the indicated token type

Validation Guidance

error

Reject token exchange requests that omit subject_token.

error

Reject token exchange requests that omit subject_token_type.

error

Validate the subject token according to the token type indicated by subject_token_type during request processing.

Security Notes

RFC 8693 - Section 2.1

The section warns that omitting client authentication can allow anyone possessing a compromised token to leverage it through an STS into other tokens; client authentication enables additional authorization checks for impersonation or delegation.

Reference

Details

Entry Id
subject_token
Name
subject_token
Parameter Usage Location
token request
Change Controller
IESG
Reference
RFC8693 - Section 2.1