I have this use case and I'm wondering how to effectively use token-exchange protocol. My use case is this:
App 1 authenticates with OAuth server (OIDC) and obtains ID token and Access Token. And it can use access token to call APIs (eg: userInfo and other APIs) on OAuth server. AccessToken has client_id as App1 and aud as OAuthServer.
I need to solve this use case : App 1 has to pass a "token" to App 2. App 2 validates the "token" does some operation; and App 2 also has to call APIs on OAuth server.
After reading token-exchange flows, I was thinking of the following:
a) App1 uses its AccessToken to call token-exchange to get "token2" for App2. "token2" contains client_id as App1 and aud as App2
b) App1 passes the token2 to App2. App2 validates aud claim, and does some operation.
c) App2 passes "token2" to call token-exchange to get "token3" for App2. "token3" contains client_id as App2 and aud as OAuthServer
d) App2 can use token3 to call OAuthServer.
Let me know if there is a better to way to do this.