Skip to content

Add tokenExchange OAuth2 flow (OAuth 2.0 Token Exchange, RFC 8693)#44

Open
cayetanobv wants to merge 4 commits into
stac-extensions:mainfrom
cayetanobv:token-exchange-flow
Open

Add tokenExchange OAuth2 flow (OAuth 2.0 Token Exchange, RFC 8693)#44
cayetanobv wants to merge 4 commits into
stac-extensions:mainfrom
cayetanobv:token-exchange-flow

Conversation

@cayetanobv

@cayetanobv cayetanobv commented Jul 7, 2026

Copy link
Copy Markdown

This adds tokenExchange to the pre-defined OAuth2 flow keys, mirroring the proposed OpenAPI addition OAI/OpenAPI-Specification#5428 as discussed with @m-mohr in portolan-sdi/portolan-cli#551: OpenAPI PR first, this extension mirrors it.

The flow corresponds to RFC 8693 (OAuth 2.0 Token Exchange): the client presents a token obtained elsewhere — e.g. an identity token from an openIdConnect scheme — at the tokenUrl and receives a different token back, typically short-lived scoped credentials for direct data access. This is the pattern behind cloud STS endpoints and credential vending in data platforms; the driving STAC use case is catalogs whose assets live in access-controlled object storage.

Changes (all mirroring how the existing flows are handled):

  • README: tokenExchange added to the pre-defined flow keys; tokenUrl REQUIRED for it; a short paragraph in the OAuth2 Flow Object section referencing RFC 8693 and the OpenAPI PR.
  • JSON Schema: tokenExchange added to the tokenUrl-required pattern.
  • examples/collection-token-exchange.json: a dedicated, focused example of the two-step pattern — identity scheme + exchange scheme linked via subjectTokenScheme + gated assets (the identity scheme is deliberately unreferenced by any auth:refs, which is the case that motivates the field). The pre-existing examples are untouched.
  • CHANGELOG entry under Unreleased.

npm test passes (remark + stac-node-validator, examples valid).

Update (2026-07-13): the design question below is now resolved after maintainer review: added an optional subjectTokenScheme field on the tokenExchange flow — the key of the auth:schemes entry whose token the client presents as the RFC 8693 subject_token. This makes the two-step order machine-discoverable (a generic client, e.g. STAC Browser, resolves the chain from the document instead of hardcoding it). It deliberately goes one field beyond the OpenAPI proposal: OpenAPI's security work is being reorganized on its own timeline (OAI/OpenAPI-Specification#5428 discussion), and this extension already has precedent for STAC-specific additions (s3, signedUrl); it is a candidate to propose upstream once that settles.

One design question deliberately not addressed here, for discussion: whether/how a tokenExchange scheme should declare which other scheme's token is the expected subject_token (e.g. a field referencing an auth:schemes key vs. leaving it to description prose). Kept out to stay a faithful mirror of the OpenAPI PR; happy to follow up in a separate issue/PR if there's interest.

Note on tooling: AI tooling was used for research and drafting; I reviewed and take responsibility for all content.

…fication#5428

Adds tokenExchange to the pre-defined OAuth2 flow keys: tokenUrl
required, scopes as for all flows. Includes the JSON Schema rule,
a collection example, and a CHANGELOG entry.
@m-mohr m-mohr self-requested a review July 7, 2026 15:41
cayetanobv added a commit to cayetanobv/portolan-cli that referenced this pull request Jul 7, 2026
…catalogs

Repurposes this proposal after the upstream agreement: the vending step
is standardized upstream (OAI/OpenAPI-Specification#5428 mirrored by
stac-extensions/authentication#44), so Portolan adopts the Authentication
extension wholesale instead of owning an access: namespace.

- spec/extensions/authentication.md: profile note — two-step gated read
  (openIdConnect identity + oauth2/tokenExchange vending), fields used,
  client algorithm, chaining convention (pending upstream), validation
  rules, security considerations.
- spec/examples/authentication-collection.json: gated collection with
  two schemes and two gated assets (GeoParquet + Iceberg metadata) on
  one exchange; validates against the v1.1.0 schema.
- access: extension files removed (shape preserved in history as the
  recorded fallback).
Links the exchange to the scheme that supplies its subject_token, so a
generic client (e.g. STAC Browser) can resolve the order of the steps
from the document instead of hardcoding it. Optional; RECOMMENDED when
more than one scheme is declared.
cayetanobv added a commit to cayetanobv/portolan-cli that referenced this pull request Jul 13, 2026
…authentication#44

The tokenExchange flow now declares which auth:schemes entry supplies
its subject_token (added upstream after maintainer review, for generic-
client implementability). Profile: publishers SHOULD provide it, clients
MUST use it when present; portolan check requires it and enforces the
cross-reference resolution the upstream JSON Schema cannot express.
Status note updated: maintainer proposes releasing as a new minor
version of the Auth extension, decoupled from the OpenAPI timeline.
Shows the full chain end-to-end: asset -> auth:refs -> token_exchange ->
subjectTokenScheme -> oauth. Previously the scheme was declared but
unreferenced.
Reverts examples/collection.json to its pristine state and adds
examples/collection-token-exchange.json: identity scheme (oidc) +
exchange scheme linked via subjectTokenScheme + two gated assets sharing
one exchange. The identity scheme is intentionally unreferenced by any
auth:refs — the case that motivates the field. Follows the multi-example
convention of other extensions (e.g. datacube). README points to it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant