Remove FGAP:v1 from external-internal token exchange #40938
+86
−37
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #40855
This PR removes the requirement to have FGAP:v1 enabled for the new version of external-internal token exchange.
I had some doubts about if
ExternalToInternalTokenExchangeProvidershould extendAbstractTokenExchangeProviderorStandardTokenExchangeProvider.There are pros and cons: the external-internal exchange works in a similar way to
StandardTokenExchangeProviderwhen generating the internal token, especially for things like scope and audience validation, so a lot of the logic is the same. On the other hand, some parts could be simplified, for example the code to handle offline tokens, refresh tokens, transient sessions which are not supported for external-internal.I chose to extend
StandardTokenExchangeProviderfor now, but we can switch toAbstractTokenExchangeProviderlater if the implementation becomes more different.