Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-12102

Support for OAuth 2.0 On-Behalf-Of (OBO) Token Exchange in 3scale

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • System
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Moderate

      Request to add native support in Red Hat 3scale API Management for validating tokens obtained via OAuth 2.0 On-Behalf-Of (OBO) token exchange, aligned with RFC 8693.

      Background / Current Behavior:

      • 3scale APIcast currently validates a {}single JWT access token{} presented in the `Authorization: Bearer <token>` header, issued by an OpenID Connect IdP (e.g. RH‑SSO or RHBK).
      • 3scale does {}not implement token exchange{}. Token exchange is handled by the IdP.
      • RH‑SSO only offered token exchange as a tech preview (not supported for production).
      • RHBK 26.2+ introduced {}Standard Token Exchange (V2){}, fully supported and aligned with RFC 8693.

      Problem Statement:

      Customers requiring both application identity (client credentials) and user identity (end‑user claims) cannot rely on 3scale alone.

      • 3scale validates the client token but does not natively validate a user token in the same request.
      • Workarounds include backend validation or custom APIcast policies, which increase complexity.
      • Native support for OBO token exchange in 3scale would simplify architectures and align with modern OAuth2/OIDC practices.

      References:

      Requested Enhancement:

      • Add native support in 3scale APIcast for validating tokens obtained via OBO token exchange.
      • Ensure compatibility with RHBK’s Standard Token Exchange (V2).
      • Provide configuration options to enforce policies based on both client and user claims in the exchanged token.

       

              Unassigned Unassigned
              rhn-support-dbuena David Buena
              Gabriel Santos
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: