Open gffletch opened 1 month ago
Embedded with the Authorization Server
In this model, the token exchange endpoint is exposed as part of the standard Authorization Server exposed endpoints. Pros:
iss
claim is the same as the authorization server and likely already known by downstream workloadsiss
claim and exposes the JWKS URICons:
Notes from call on 06-14-2024
Here is how we deployed the TTS in our environment:
Although the TTS is a logical part of the AS system (and provided by the same team), it is a separate microservice than the authorizarion and token endpoints of the AS used by OAuth clients. The auth and token endpoints used by clients are reachable by clients outside of the company network, while the TTS endpoint is only reachable from within the company network. The key to sign the TraT is different from the key material used to encrypt/sign the ATs issued by the externally reachable token endpoint. Hence the "iss" and JWKS uris are different. We have multiple data centers and in each DC the TTS is available. The "iss" used by all TTS is the same for all DCs; a DC agnostic URI. All TTS deployments share the same key material.
This issue is to track different deployment models for the Transaction Token Service