Token Exchange

[wacko-cornflower]

Hi there. Im currently trying to test out the token exhange functionality but have run into a couple of problems that i would like to double check with anyone more knowledgeable.

First of all the setup:
We are running with the terraform provider version 1.9.0 and the janssen is running 1.11.0

Issue 1:
What we have seen so far is that we are not able to set the grant_type of a client to the token-exchange type(have tried token_exchange,token-exchange and urn:ietf:params:oauth:grant-type:token-exchange).
It errors out saying that it is not a valid option.

Issue 2:
But then also we have had some issues loading our interception script that we wanted to use for this. Some looking into the the janssen source led us to notice that the code for loading the script files in ExternalTokenExchangeService.java was using the attribute for postauthn:
final List<CustomScriptConfiguration> scripts = getCustomScriptConfigurationsByDns(client.getAttributes().getPostAuthnScripts());
The source suggests that it will work but we are getting nullpointers exceptions when we return from our token-exchange interception script when it always returns a statically created object. (the example code with some additional debug lines).

Issue 3:
The documentation is also a bit ambiguous with these pages being slightlty different (for instance in Content-Type):
https://docs.jans.io/head/janssen-server/auth-server/oauth-features/token-exchange/
https://docs.jans.io/head/script-catalog/token_exchange/token-exchange/

So to summarise:
How are we supposed to be setting a client a token-exchange capable? Is it not with a grant at all?
Is there additional configuration needed to be able to successfully return from the interception script?

Thanks in advance!

[yuriyz]

First you prepare PostAuthn script. Then set dn of that script into client.
You can register or update existing client with it. Property name is post_authn_script_dns.
Please refer to swagger: https://github.com/JanssenProject/jans/blob/main/jans-auth-server/docs/swagger.yaml#L1767C17-L1767C38

As alternative you can set it directly in DB (jansClnt table, jansAttrs column, add "postAuthnScripts": ["post authn script dn"])

[polsson12]

Chipping in here... I have the exact same concerns as @wacko-cornflower, did you read the questions?

It's not possible to config the client with the grant type urn:ietf:params:oauth:grant-type:token-exchange via terraform. The provider doesn't allow the value, but it's required to be present in order for a client to use the flow. You can insert it directly in the DB, but that's not how a production environment should look like.

Shouldn't token_exchange_scripts be read from the attribute token_exchange_scripts (terraform)
by a function client.getAttributes().getTokenExchangeScripts(), instead of client.getAttributes(). getPostAuthnScripts()?

Yeah, the docs are very confusing as mentioned. They diverge very much.

Which script type should the provider have?
I guess:
script_type = "token_exchange"

?

[wacko-cornflower]

I have spent the day trying to cross off stuff to test in the checklist.

Regarding 1.
I have updated to the latest stable terraform provider, 1.13. That now allows me to set a grant_type of urn:ietf:params:oauth:grant-type:token-exchange via terraform. However it seems that setting is not propagated to the db.

I have also updated to janssen 1.14.0 but that has not made any changes in regard to the token exchange flows that i have been able to spot

[wacko-cornflower]

Oh and regarding 2.
This is still throwing a nullpointer exception when it returns from the token-exchange interception script we have.

jans-auth - 2025-12-02 14:56:17,603 INFO [qtp1927499639-21] [se.domain.TokenExchangeAuthenticator] (Generated:66) - Se_TokenExchangeAuthenticator Returning from TokenExchangeAuthenticator script with success. jans-auth - 2025-12-02 14:56:17,603 ERROR [qtp1927499639-21] [as.server.token.ws.rs.TokenRestWebServiceImpl] (TokenRestWebServiceImpl.java:244) - Cannot invoke "io.jans.model.custom.script.type.token.ScriptTokenExchangeControl.isSkipBuiltinValidation()" because "scriptControl" is null java.lang.NullPointerException: Cannot invoke "io.jans.model.custom.script.type.token.ScriptTokenExchangeControl.isSkipBuiltinValidation()" because "scriptControl" is null   at io.jans.as.server.token.ws.rs.TokenExchangeService.processTokenExchange(TokenExchangeService.java:144) ~[classes/:?]   at io.jans.as.server.token.ws.rs.TokenRestWebServiceImpl.requestAccessToken(TokenRestWebServiceImpl.java:235) ~[classes/:?]   at io.jans.as.server.token.ws.rs.TokenRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAccessToken(Unknown Source) ~[classes/:?]