TelenorID+ Token Exchange

TelenorID+ roadmap is to support the OAuth 2.0 Token Exchange with both support for Delegation and Impersonation.

But at the moment TelenorID+ has only a custom legacy API that is supported. Note that this is deprecated and will be removed when the support for OAuth 2.0 Token Exchange is implemented. This functionality enables clients to change the tnuid in the access token, pointing this to another profile for the same enduser. This is only relevant for endusers with several profiles.

Prerequisite

To use the token exchange solution your client needs to be configured to be allowed to use it.

The client setting Update AT claims must be set to TRUE
The client must be allowed to use the scope account.profiles, more information about scopes here.

Please contact us to make sure that this is configured.

Input

The token exchange request is done using the Token endpoint where the following parameters must be set as followed:

Parameter	Description
`scope`	`account.profiles` must be one of the scopes
`grant_type`	`refresh_token`
`tnuId`	The tnuid of the profile that you would like to change to

Example

POST /connect/token
CONTENT-TYPE application/x-www-form-urlencoded

    client_id=client1&
    client_secret=secret&
    grant_type=refresh_token&
    refresh_token=88E0E30...&
    tnuId='nss-hTv...'