Support self-delegation flow without requiring separate actor token #26677
Description
Problem
Current implementation requires a separate actor token even when the subject and actor are the same entity:
- Creates unnecessary complexity for self-delegation scenarios
- Forces clients to obtain two tokens (subject and actor) for the same entity
- Increases token exchange request size and processing overhead
- Complicates client implementation for common use cases
- Reduces efficiency in scenarios where an entity delegates to itself with different scopes
Proposed Solution
Implement self-delegation detection and processing:
- Add request classifier to identify self-delegation scenarios
- Make actor token optional when subject and actor are the same
- Preserve security by validating self-delegation is intentional
- Add proper claim structure for self-delegated tokens
- PRRA: Implement the self delegation flow with azp claim inside the act/sub claim wso2-extensions/identity-oauth2-grant-token-exchange#54
Alternatives
No response
Please select the area issue is related to
Other
Version
No response
Developer Checklist
- [Behavioural Change] Does this change introduce a behavioral change to the product?
- ↳ Approved by team lead
- ↳ Label
impact/behavioral-changeadded - [Migration Impact] Does this change have a migration impact?
- ↳ Migration label added (e.g.,
7.2.0-migration) - ↳ Migration issues created and linked
- [New Configuration] Does this change introduce a new configuration?
- ↳ Label
configadded - ↳ Configuration is properly documented