A AuthMS API Wiki API Reference iam.tianv.com →

POST /oauth/token-exchange

实现 RFC 8693 令牌交换标准,支持 subject_token 和 actor_token 的委托链,将原始 JWT 交换为下游服务的受限访问令牌。用于 NHI Workload 身份委托场景。参考:RFC 8693 (OAuth 2.0 Token Exchange)。

OAuth None application/x-www-form-urlencoded

Request Parameters

NameInTypeRequiredDefaultExampleConstraintsDescription
grant_type formData string Yes enum: `urn:ietf:params:oauth:grant-type:token-exchange` 授权类型
subject_token formData string Yes 主体令牌(JWT)
actor_token formData string No 委托方令牌(JWT)
scope formData string No 请求的权限范围
client_id formData string No 客户端ID

Responses

StatusDescriptionSchema
200交换后的访问令牌(含 access_token, token_type, expires_in, scope)dto.OAuthTokenResponse
400invalid_scope:请求的 scope 无效或超出范围。参考:RFC 8693。dto.OAuthErrorResponse
401invalid_token:subject_token 无效或过期dto.OAuthErrorResponse
500server_error:令牌交换服务内部错误dto.OAuthErrorResponse

Referenced Schemas

dto.AuthorizationDetailDTO

FieldTypeRequiredExampleConstraintsDescription
actions array of

string

 No ['["list_accounts"', '"read_balances"]'] 操作
constraints object No 扩展约束
data_types array of

string

 No ['["account_details"', '"balances"]'] 数据类型
identifier string No account-12345 标识符
locations array of

string

 No ['["https://example.com/accounts"]'] 位置
type string No account_information 授权类型

dto.OAuthErrorResponse

OAuth标准错误响应

FieldTypeRequiredExampleConstraintsDescription
error string No invalid_request 错误码
error_description string No Missing required parameter 错误描述
error_uri string No https://docs.example.com/errors 错误URI
state string No state-123 状态

dto.OAuthTokenResponse

OAuth令牌响应

FieldTypeRequiredExampleConstraintsDescription
access_token string No eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... 访问令牌
authorization_details array of

See dto.AuthorizationDetailDTO

 No RAR授权详情
expires_in integer No 3600 过期秒数
id_token string No eyJhbGci... OIDC ID令牌
refresh_token string No rt_abc123 刷新令牌
scope string No openid profile email 范围
token_type string No Bearer 令牌类型
Try this API in Scalar → Download OpenAPI spec (JSON) ↓