Delegation with OIDC
Traditionally, delegation is used to:
Exchange an ID token issued to one application for a new one issued to a different application.
Get a fresh ID token using a refresh token.
Exchange an ID token for a third-party (e.g., Firebase, AWS) API token.
Because the OIDC-conformant pipeline requires that ID tokens no longer be used to secure APIs and refresh tokens be used only at the /oauth/token
endpoint; the /delegation
endpoint is deprecated.
OIDC-conformant applications cannot be the source or target of delegation requests.
Third-party APIs
Because no OIDC-compliant mechanism exists to get third-party (e.g., Firebase, AWS) API tokens, delegation can still be used to obtain third-party API tokens.