Delegation with OIDC

Traditionally, delegation is used to:

  • Exchange an ID token issued to one application for a new one issued to a different application.

  • Get a fresh ID token using a refresh token.

  • Exchange an ID token for a third-party (e.g., Firebase, AWS) API token.

Because the OIDC-conformant pipeline requires that ID tokens no longer be used to secure APIs and refresh tokens be used only at the /oauth/token endpoint; the /delegation endpoint is deprecated.

OIDC-conformant applications cannot be the source or target of delegation requests.

Third-party APIs

Because no OIDC-compliant mechanism exists to get third-party (e.g., Firebase, AWS) API tokens, delegation can still be used to obtain third-party API tokens.

Learn more