Token Exchange Types
Summary
Token exchange is the process of exchanging one type of security token for another. It is a crucial aspect of authorization in modern web-based applications and services. There are several types of token exchange protocols, including OAuth, SAML, JWT, and Kerberos.
In our example, we’ll look at how to perform a token exchange using C# and the OAuth 2.0 protocol. We’ll use the HttpClient
class to send a request to the Azure AD token endpoint and pass in the client ID, client secret, grant type, assertion (access token), and target resource as parameters in the request body. Once we received the response from the token endpoint, we parsed the JSON content and extracted the access token.
It’s worth noting that token exchange is an important part of securing web-based applications and services, but it’s just one piece of the puzzle. Developers need to carefully consider the security implications of their token exchange implementation, as well as the overall architecture of their application or service. By following best practices and using established security protocols, developers can build robust and secure applications that protect users and their data.
Token Types
- OAuth 2.0 Access Token – Used for authorisation and access to Azure services.
- OAuth 2.0 Refresh Token – Used to obtain a new access token without re-authentication.
- ID Token (OpenID Connect) – Contains identity information about the user, used for authentication.
- SAML 2.0 Token – Used for Single Sign-On (SSO) with Azure Active Directory.
- JWT (JSON Web Token) – Used for securely representing claims between parties, commonly used in many Azure services.
- Kerberos Token – Used in hybrid environments with Azure AD and on-premises Active Directory.
- Managed Identity Token – Issued by Azure for services using Managed Identities to authenticate.
- Client Assertion Token – A JWT used in OAuth 2.0 client credentials flow.
- API Key – Used in Azure API Management for access control.
The Bearer Token and OAuth Access Token are essentially the same, and the Client Assertion Token is a specific form of a JWT. So they’ve been grouped accordingly.
Token Exchange Types
OAuth 2.0
OAuth token exchange: OAuth is a popular protocol used for authorization and token exchange in web-based applications. With OAuth, a user can grant permission to an application to access their resources on a service provider, and the application receives an access token in exchange. The access token can be exchanged for another token, such as a refresh token, or a different type of access token with different scopes or permissions.
sequenceDiagram participant User participant Application participant AuthorizationServer participant ResourceServer User ->> Application: Grants Permission Application ->> AuthorizationServer: Requests Authorization Code AuthorizationServer ->> Application: Returns Authorization Code Application ->> AuthorizationServer: Exchanges Authorization Code for Access Token AuthorizationServer ->> Application: Returns Access Token Application ->> ResourceServer: Sends Access Token to Access Resources ResourceServer ->> Application: Grants Access Application ->> AuthorizationServer: Exchanges Access Token for Refresh Token or New Access Token
SAML
SAML token exchange: Security Assertion Markup Language (SAML) is a protocol used for exchanging security tokens between parties. With SAML, a user can authenticate to a service provider using a SAML token, and the service provider can exchange that token for another token, such as a SAML assertion or a different type of security token.
sequenceDiagram participant User participant ServiceProvider participant IdentityProvider User ->> ServiceProvider: Requests access to service ServiceProvider ->> IdentityProvider: Sends Authentication Request (SAML Request) IdentityProvider ->> User: Requests Authentication User ->> IdentityProvider: Provides Credentials IdentityProvider ->> ServiceProvider: Sends SAML Assertion (SAML Token) ServiceProvider ->> User: Grants Access to the Service ServiceProvider ->> IdentityProvider: Exchanges SAML Assertion for Another Token (e.g., SAML Assertion or Security Token)
JWT token exchange
JSON Web Tokens (JWT) are a popular format for representing claims securely between parties. With JWT, a user can authenticate to a service provider using a JWT token, and the service provider can exchange that token for another token, such as an OAuth access token or a SAML assertion.
sequenceDiagram participant User participant Application participant AuthorizationServer participant ResourceServer User ->> Application: Logs in/Requests Access Application ->> AuthorizationServer: Sends credentials (or login request) AuthorizationServer ->> Application: Returns JWT Token Application ->> ResourceServer: Sends JWT Token for resource access ResourceServer ->> Application: Grants Access to Resources Application ->> AuthorizationServer: Exchanges JWT Token for OAuth Access Token or SAML Assertion (if needed)
Example
Here’s an example of how to perform a token exchange using C# and the OAuth 2.0 protocol:
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading.Tasks;
public async Task<string> ExchangeToken(string accessToken, string targetResource)
{
string tokenEndpoint = "https://login.microsoftonline.com/{tenant-id}/oauth2/token"; // replace {tenant-id} with your Azure AD tenant ID
string clientId = "your-client-id"; // replace with your Azure AD app client ID
string clientSecret = "your-client-secret"; // replace with your Azure AD app client secret
HttpClient client = new HttpClient();
// set the request parameters
var content = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("client_id", clientId),
new KeyValuePair<string, string>("client_secret", clientSecret),
new KeyValuePair<string, string>("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"),
new KeyValuePair<string, string>("assertion", accessToken),
new KeyValuePair<string, string>("resource", targetResource)
});
// send the request to the token endpoint
HttpResponseMessage response = await client.PostAsync(tokenEndpoint, content);
// read the response and extract the access token
string responseContent = await response.Content.ReadAsStringAsync();
var token = JObject.Parse(responseContent)["access_token"].ToString();
return token;
}
In this example, we use the HttpClient
class to send a request to the Azure AD token endpoint. We pass in the client ID, client secret, grant type, assertion (access token), and target resource as parameters in the request body.
Once we receive the response from the token endpoint, we parse the JSON content and extract the access token. Finally, we return the access token as a string.
Note that this example assumes that you have already obtained an access token using some other means, such as using the Azure AD authentication libraries. The accessToken
parameter should contain the access token that you want to exchange for a different type of token. The targetResource
parameter should contain the URI of the resource that the new token will be used to access.