On-Behalf-Of Token Exchange

1

User

Authorize the user via Auth Code + PKCE flow. The user's access token will be used as the subject token for the on-behalf-of exchange.

/oauth2/default/v1/authorize

Configuration

Okta Domain

Authorization Server

/oauth2/default/v1/

Client ID (User App)

Client Secret (User App) (optional)

Client ID (Service App)

Client Secret (Service App)

Redirect URI

Audience

Scopes (optional)

Configure Okta Domain and Authorization Server to load scopes

cURL Command

Explain cURL | regenerate curl

2

Service App

Exchange the user's access token for a new token scoped to a downstream API. The service app acts on behalf of the user.

/oauth2/default/v1/token grant_type=urn:ietf:params:oauth:grant-type:token-exchange

cURL Command

Explain cURL | regenerate curl

Response

3

Service App Optional

Test the exchanged access token by making an authenticated API request to a resource server.

Request Body (optional)

cURL Command

Explain cURL | regenerate curl