Enterprise-Managed Authorization

ID-JAG token exchange for MCP and Cross-App Access style integrations.

Updated Jul 14, 2026 Edit this page

Enterprise-Managed Authorization

AuthOS exposes an OAuth form endpoint for MCP and Cross-App Access style enterprise-managed authorization.

This capability is Beta. Public end-to-end, conformance, and abuse-case evidence is incomplete; the endpoint names and discovery metadata should not be read as a general OAuth/OIDC certification. See the current project status.

Current scope: AuthOS issues ID-JAGs from existing AuthOS service-scoped JWTs, records them as one-time authorization grants, and redeems those AuthOS-issued ID-JAGs into normal AuthOS bearer tokens for registered service resource URIs. Third-party enterprise IdP ID-JAG assertions are not accepted by this endpoint.

Endpoints

Method Path Purpose
POST /oauth/token Token exchange and JWT bearer grant
POST /oauth2/token Alias for /oauth/token

Existing device-flow clients continue to use POST /auth/token. OIDC discovery keeps token_endpoint on /auth/token for compatibility and publishes enterprise_token_endpoint for this flow.

Request an ID-JAG

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:id-jag
&audience=https://auth.example.com
&resource=https://api.example.com/mcp
&subject_token=AUTHOS_SERVICE_JWT
&subject_token_type=urn:ietf:params:oauth:token-type:access_token
&client_id=SERVICE_CLIENT_ID

Response:

{
  "issued_token_type": "urn:ietf:params:oauth:token-type:id-jag",
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Im9hdXRoLWlkLWphZytqd3Qi...",
  "token_type": "N_A",
  "expires_in": 300
}

Requested scope values are accepted only when the subject token already contains those scopes. A normal AuthOS service login token should omit scope for coarse resource access.

Exchange the ID-JAG

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&assertion=ID_JAG
&client_id=SERVICE_CLIENT_ID
&client_secret=SERVICE_CLIENT_SECRET

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6...",
  "token_type": "Bearer",
  "expires_in": 86400
}

The ID-JAG assertion is single-use. The bearer token uses the requested resource URI as aud, includes scope when one was granted, and is stored in the AuthOS session table for revocation. No refresh token is returned from the JWT bearer exchange.

Discovery

/.well-known/openid-configuration advertises:

  • enterprise_token_endpoint
  • urn:ietf:params:oauth:grant-type:token-exchange
  • urn:ietf:params:oauth:grant-type:jwt-bearer
  • urn:ietf:params:oauth:grant-profile:id-jag
  • urn:ietf:params:oauth:token-type:id-jag