Delegation with OIDC

By default, delegation is disabled for tenants without an add-on in use as of 8 June 2017. Legacy tenants who currently use an add-on that requires delegation may continue to use this feature. If delegation functionality is changed or removed from service at some point, customers who currently use it will be notified beforehand and given ample time to migrate.

Traditionally, delegation is used to:

  • Exchange an ID token issued to one application for a new one issued to a different application.

  • Get a fresh ID token using a refresh token.

  • Exchange an ID token for a third-party (e.g., Firebase, AWS) API token.

Because the OIDC-conformant pipeline requires that ID tokens no longer be used to secure APIs and refresh tokens be used only at the /oauth/token endpoint; the /delegation endpoint is deprecated.

OIDC-conformant applications cannot be the source or target of delegation requests.

Third-party APIs

Because no OIDC-compliant mechanism exists to get third-party (e.g., Firebase, AWS) API tokens, delegation can still be used to obtain third-party API tokens.

Learn more