Module advanced_token_exchange

Expand description

§Advanced Token Exchange - Enhanced RFC 8693

This module implements an advanced version of the OAuth 2.0 Token Exchange specification (RFC 8693) with additional features for multi-party token chains, context preservation, and sophisticated delegation patterns commonly needed in enterprise and microservice environments.

§Overview

Advanced Token Exchange extends the basic token exchange specification with:

Multi-Party Token Chains: Complex delegation paths through multiple services
Context Preservation: Maintaining original request context through token chains
Privilege Delegation: Fine-grained privilege escalation and de-escalation
Audit Trail: Complete audit logging of token exchange operations
Policy-Based Exchange: Configurable rules for token exchange authorization
Cross-Domain Exchange: Secure token exchange across trust boundaries

§Key Features

Enhanced Subject and Actor Tokens: Support for complex token relationships
Context-Aware Exchange: Preserving business context through delegation
Chain Validation: Ensuring legitimate delegation chains
Privilege Mapping: Automatic privilege translation between domains
Revocation Cascading: Cascading token revocation through delegation chains
Advanced Scopes: Hierarchical and conditional scope management

§Token Exchange Types

Impersonation Exchange: Acting on behalf of another entity
Delegation Exchange: Delegating specific privileges to another service
Translation Exchange: Converting token formats or standards
Context Exchange: Preserving request context in service chains
Federation Exchange: Cross-domain identity federation
Privilege Escalation: Controlled privilege elevation

§Usage Example

use auth_framework::server::advanced_token_exchange::*;
use auth_framework::server::SessionManager;
use std::sync::Arc;

// Initialize advanced token exchange manager
let config = AdvancedTokenExchangeConfig {
    enable_multi_party_chains: true,
    max_delegation_depth: 5,
    require_audit_trail: true,
    enable_context_preservation: true,
    ..Default::default()
};

let session_manager = Arc::new(SessionManager::new(Default::default()));
let exchange_manager = AdvancedTokenExchangeManager::new(config, session_manager)?;

// Create complex token exchange request
let exchange_request = AdvancedTokenExchangeRequest {
    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange".to_string(),
    subject_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...".to_string(),
    subject_token_type: "urn:ietf:params:oauth:token-type:jwt".to_string(),
    requested_token_type: "urn:ietf:params:oauth:token-type:jwt".to_string(),
    exchange_context: Some(ExchangeContext {
        transaction_id: "txn_123456".to_string(),
        business_context: serde_json::json!({
            "operation": "payment_processing",
            "amount": 1000.00,
            "currency": "USD"
        }),
        delegation_chain: Vec::new(),
        original_request: None,
        security_context: None,
        custom_fields: std::collections::HashMap::new(),
    }),
    policy_requirements: vec![
        "require_mfa".to_string(),
        "audit_financial_operations".to_string()
    ],
    actor_token: None,
    actor_token_type: None,
    resource: Vec::new(),
    audience: Vec::new(),
    scope: None,
    custom_parameters: std::collections::HashMap::new(),
};

// Process token exchange
let exchange_result = exchange_manager.exchange_token(exchange_request).await?;

Structs§

ActorInfo: Actor information for audit
AdvancedTokenExchangeConfig: Configuration for Advanced Token Exchange
AdvancedTokenExchangeManager: Main Advanced Token Exchange Manager
AdvancedTokenExchangeRequest: Advanced Token Exchange Request following enhanced RFC 8693
AdvancedTokenExchangeResponse: Token exchange response following enhanced RFC 8693
CrossDomainExchangeSettings: Cross-domain exchange settings
CrossDomainPolicy: Cross-domain exchange policy
DelegationLink: Link in the delegation chain
DeviceContext: Device context information
ExchangeAuditInfo: Exchange audit information
ExchangeContext: Exchange context for preserving business and technical context
LocationContext: Location context information
PolicyDecision: Policy decision applied during exchange
RequestMetadata: Original request metadata
SecurityAssessment: Security assessment performed
SecurityContext: Security context information
SubjectInfo: Subject information for audit
TokenExchangePolicy: Token exchange policy
TokenInfo: Token information

Enums§

AuthLevel: Authentication level for step-up authentication
DelegationRestriction: Delegation restriction
PolicyAction: Policy action
PolicyCondition: Policy condition
PolicyDecisionResult: Policy decision result
SecurityAssessmentResult: Security assessment result
TokenExchangeType: Type of token exchange performed

Traits§

TokenExchangeProcessor: Token exchange processor trait

Module advanced_token_exchange

Module advanced_token_exchange Copy item path

§Advanced Token Exchange - Enhanced RFC 8693

§Overview

§Key Features

§Token Exchange Types

§Usage Example

Structs§

Enums§

Traits§

Module advanced_token_exchange