Token Exchange Flow
OAuth 2.0 OBO Credential Injection Policy
Policy Name |
OAuth 2.0 OBO Credential Injection |
Summary |
Exchanges incoming bearer tokens using the OAuth 2.0 Token Exchange (RFC 8693) or Microsoft Entra ID On-Behalf-Of protocols |
Category |
Security |
First Flex Gateway version available |
v1.11.0 |
Returned Status Codes |
No return codes exist for this policy. Error codes are returned from the upstream service. |
Summary
The OAuth 2.0 On-Behalf-Of (OBO) Credential Injection policy exchanges an incoming bearer token for a new token to target specific upstream services. The policy supports OAuth 2.0 Token Exchange (RFC 8693) and Microsoft Entra ID On-Behalf-Of protocols. This policy is applied to outbound traffic (gateway to the backend service) to automatically exchange the OAuth 2.0 token needed for backend services.
The policy extracts the Bearer token from the incoming request’s Authorization header and sends a token exchange request to the token endpoint. The policy then replaces the Authorization header with the new token returned from the token exchange service and forwards the modified request to the backend service.
Configuring Policy Parameters
Flex Gateway Local Mode
The OAuth 2.0 OBO Credential Injection policy isn’t supported in Local Mode.
Managed Flex Gateway and Flex Gateway Connected Mode
When you apply the policy to your API instance from the UI, the following parameters are displayed:
| Parameter | Description |
|---|---|
Token exchange flow: OAuth 2.0 Token Exchange (RFC 8693) or Microsoft Entra ID On-Behalf-Of. |
|
Client ID |
OAuth 2.0 client ID for token exchange. |
Client Secret |
OAuth 2.0 client secret for token exchange. |
Token Endpoint |
OAuth 2.0 token endpoint URL. |
Target Type |
Parameter type for specifying the target service. Required for OAuth 2.0 Token Exchange flow. Supported values:
|
Target Value |
Target audience URI or resource URI for the exchanged token. Required for OAuth 2.0 Token Exchange flow. |
Scope |
OAuth 2.0 scope to request. Required for Microsoft Entra OBO (for example, |
Timeout |
Timeout for token exchange requests in milliseconds. Default: 10000. |



