Add tokenExchange OAuth2 flow (OAuth 2.0 Token Exchange, RFC 8693)#44
Open
cayetanobv wants to merge 1 commit into
Open
Add tokenExchange OAuth2 flow (OAuth 2.0 Token Exchange, RFC 8693)#44cayetanobv wants to merge 1 commit into
cayetanobv wants to merge 1 commit into
Conversation
…fication#5428 Adds tokenExchange to the pre-defined OAuth2 flow keys: tokenUrl required, scopes as for all flows. Includes the JSON Schema rule, a collection example, and a CHANGELOG entry.
cayetanobv
added a commit
to cayetanobv/portolan-cli
that referenced
this pull request
Jul 7, 2026
…catalogs Repurposes this proposal after the upstream agreement: the vending step is standardized upstream (OAI/OpenAPI-Specification#5428 mirrored by stac-extensions/authentication#44), so Portolan adopts the Authentication extension wholesale instead of owning an access: namespace. - spec/extensions/authentication.md: profile note — two-step gated read (openIdConnect identity + oauth2/tokenExchange vending), fields used, client algorithm, chaining convention (pending upstream), validation rules, security considerations. - spec/examples/authentication-collection.json: gated collection with two schemes and two gated assets (GeoParquet + Iceberg metadata) on one exchange; validates against the v1.1.0 schema. - access: extension files removed (shape preserved in history as the recorded fallback).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds
tokenExchangeto the pre-defined OAuth2 flow keys, mirroring the proposed OpenAPI addition OAI/OpenAPI-Specification#5428 as discussed with @m-mohr in portolan-sdi/portolan-cli#551: OpenAPI PR first, this extension mirrors it.The flow corresponds to RFC 8693 (OAuth 2.0 Token Exchange): the client presents a token obtained elsewhere — e.g. an identity token from an
openIdConnectscheme — at thetokenUrland receives a different token back, typically short-lived scoped credentials for direct data access. This is the pattern behind cloud STS endpoints and credential vending in data platforms; the driving STAC use case is catalogs whose assets live in access-controlled object storage.Changes (all mirroring how the existing flows are handled):
tokenExchangeadded to the pre-defined flow keys;tokenUrlREQUIRED for it; a short paragraph in the OAuth2 Flow Object section referencing RFC 8693 and the OpenAPI PR.tokenExchangeadded to thetokenUrl-required pattern.examples/collection.json: atoken_exchangescheme (exercises the schema rule in CI).npm testpasses (remark + stac-node-validator, examples valid).One design question deliberately not addressed here, for discussion: whether/how a
tokenExchangescheme should declare which other scheme's token is the expectedsubject_token(e.g. a field referencing anauth:schemeskey vs. leaving it todescriptionprose). Kept out to stay a faithful mirror of the OpenAPI PR; happy to follow up in a separate issue/PR if there's interest.Note on tooling: AI tooling was used for research and drafting; I reviewed and take responsibility for all content.