Skip to content

Token Exchange

OAuth 2.0 Token Exchange (RFC 8693) for delegation and impersonation scenarios.

Token Type Constants

token_type

Token type identifiers per RFC 8693 Section 3.

Constants for use with :class:TokenExchangeRequest fields subject_token_type, actor_token_type, and requested_token_type.

Request Model

TokenExchangeRequest(address, client_id, subject_token, subject_token_type, actor_token=None, actor_token_type=None, resource=None, audience=None, scope=None, requested_token_type=None, client_secret=None) dataclass

Bases: BaseRequest

Request for OAuth 2.0 Token Exchange (RFC 8693).

Attributes:

Name Type Description
address str

The token endpoint URL.
client_id str

The client identifier.
subject_token str

Token representing the subject of the exchange.
subject_token_type str

URI indicating the subject token type (use constants from :mod:py_identity_model.core.token_type).
actor_token str | None

Token representing the actor (for delegation).
actor_token_type str | None

URI indicating the actor token type (required when actor_token is provided).
resource str | None

Target service URI.
audience str | None

Logical name of the target service.
scope str | None

Space-delimited requested scopes.
requested_token_type str | None

Desired type of the issued token.
client_secret str | None

Client secret (optional for public clients).

Response Model

TokenExchangeResponse(is_successful, error=None, token=None, issued_token_type=None) dataclass

Bases: BaseResponse

Response from a token exchange request (RFC 8693).

Check is_successful before accessing token or issued_token_type. The token dict contains standard OAuth 2.0 token fields (access_token, token_type, etc.).

Functions

exchange_token(request, http_client=None)

Exchange a token using OAuth 2.0 Token Exchange (RFC 8693).

Supports both delegation (with actor_token) and impersonation (without actor_token) scenarios.

Parameters:

Name Type Description Default
request TokenExchangeRequest

Token exchange request with subject token and parameters.

 required
http_client HTTPClient | None

Optional managed HTTP client.

 None

Returns:

Type Description
TokenExchangeResponse

TokenExchangeResponse with exchanged token and
TokenExchangeResponse

issued_token_type.