Token Exchange
Token exchange lets supported deployments trade a provider-issued user token for an Auth Service-issued platform token. In v1.0.0, token exchange is registered only for Keycloak and Microsoft Entra provider modes.
Auth0 and generic OIDC deployments do not expose the token-exchange workflow and rely on provider-issued access tokens for user authentication.
When to Use Token Exchange
Section titled “When to Use Token Exchange”Use token exchange when the deployment requires Auth Service-issued access tokens, Auth Service-issued refresh tokens, or platform signing behavior tied to Keycloak or Microsoft Entra identity.
Do not configure token exchange for a provider mode that does not support it.
Operational Requirements
Section titled “Operational Requirements”- Auth Service must trust the configured identity provider.
- Token signing keys must be configured and available.
- Platform services must trust Auth Service-issued tokens.
- Refresh-token policy should be reviewed before production use.
Troubleshooting
Section titled “Troubleshooting”If token exchange fails, confirm the provider mode is Keycloak or Microsoft Entra, the incoming user token is valid for that provider, and Auth Service key configuration is healthy.
Use the generated API reference for exact request formats.