Token brokering in a descendant frame

We claim: 1. An apparatus, comprising: at least one memory adapted to store run-time data, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the apparatus to perform actions, including: obtaining authentication of a broker with an identity provider, wherein obtaining the authentication includes at least communication between the broker and a top-level frame and communication between the broker and the identity provider, wherein the broker is a first application that is executing in a first descendant frame that is a descendent of the top-level frame, wherein the top-level frame is hosted on a first domain, and wherein the broker is hosted on a second domain that is a different domain than the first domain; receiving, at the broker, from a second application that is executing on a second descendent frame that is another descendant frame of the top-level frame, a token request; via the broker, requesting a first token from the identity provider on behalf of the second application, wherein the first token is associated with an authorization of secure delegated remote access of at least one resource by the second application; receiving, at the broker, from the identity provider, the first token; and via the broker, providing the first token to the second application. 2. The apparatus of claim 1 , wherein the identity provider is hosted on the second domain. 3. The apparatus of claim 1 , wherein the broker acts as a token broker on behalf of each descendant frame of the top-level frame that makes use of secure delegated access on behalf of users of applications executing on that descendent frame. 4. The apparatus of claim 1 , wherein the first descendent frame is a child frame of the top-level frame, and wherein the second descendent frame is another child frame of the top-level frame. 5. The apparatus of claim 1 , wherein the first descendent frame is an inline frame of the top-level frame, and wherein the second descendent frame is another inline frame of the top-level frame. 6. The apparatus of claim 1 , wherein the first token is an access token. 7. The apparatus of claim 1 , wherein the first token is an identity token that identifies a user. 8. The apparatus of claim 1 , wherein requesting the first token from the identity provider is accomplished via a browser that prohibits third-party cookies. 9. The apparatus of claim 1 , the actions further including: requesting, via the broker, a refresh token from the identity provider; and receiving the refresh token from the identity provider. 10. The apparatus of claim 9 , wherein requesting the first token from the identity provider includes making the request for the first token from the identity provider such that the request includes the refresh token. 11. The apparatus of claim 1 , wherein obtaining the authentication of the broker with the identity provider includes receiving an authorization code from the top-level frame, and wherein the top-level frame acquired the authorization code via communication between the top-level frame and the identity provider. 12. The apparatus of claim 11 , wherein the identity provider validates that the authorization code received by the identity provider has not been moved to another device by tracking of the IP address of a device of a user. 13. The apparatus of claim 11 , the actions further including, via the broker, communicating with the identity provider to redeem the authorization code for the refresh token from the identity provider. 14. The apparatus of claim 13 , wherein requesting the first token from the identity provider includes making the request for the first token from the identity provider such that the request includes the refresh token. 15. A method, comprising: acquiring authentication of a broker with an identity provider, wherein acquiring the authentication includes at least communication between the broker and a top-level frame and communication between the broker and the identity provider, wherein the broker is a first application that is executing in a first descendant frame that is a descendent of the top-level frame, wherein the top-level frame is hosted on a first domain, and wherein the broker is hosted on a second domain that is a different domain than the first domain; receiving, at the broker, a token request from a second application that is executing on a second descendent frame that is another descendant frame of the top-level frame; communicating a token request from the broker to the identity provider on behalf of the second application, wherein the token request is a request for a first token that is associated with an authorization of secure delegated remote access of at least one resource by the second application; receiving, at the broker, the first token from the identity provider; and communicating the first token from the broker to the second application. 16. The method of claim 15 , wherein obtaining the authentication of the broker with the identity provider includes receiving an authorization code from the top-level frame, and wherein the top-level frame acquired the authorization code via communication between the top-level frame and the identity provider. 17. The method of claim 16 , further comprising, via the broker, communicating with the identity provider to redeem the authorization code for the refresh token from the identity provider. 18. A processor-readable storage medium, having stored thereon processor-executable code that, upon execution by at least one processor, enables actions, comprising: obtaining authentication of a token broker application with an authorization server, wherein obtaining the authentication includes at least communication between the token broker application and a top-level frame and communication between the token broker application and the authorization server, wherein the token broker application is a first application that is executing in a first descendant frame that is a descendent of the top-level frame, wherein the top-level frame is hosted on a first domain, and wherein the token broker application is hosted on a second domain that is a different domain than the first domain; receiving, at the token broker application, a token request from an embedded application that is executing on another descendent frame that is a descendant inline frame of the top-level frame; via the token broker application, requesting an access token from the authorization server on behalf of the embedded application, wherein the access token is associated with an authorization of secure delegated remote access of at least one resource by the embedded application; receiving, at the token broker application, from the authorization server, the requested access token; and via the token broker application, providing the requested access token to the embedded application. 19. The processor-readable storage medium of claim 18 , wherein obtaining the authentication of the token broker application with the authorization server includes receiving an authorization code from the top-level frame, and wherein the top-level frame acquired the authorization code via communication between the top-level frame and the authorization server. 20. The processor-readable storage medium of claim 19 , the actions further comprising, via the token broker application, communicating with the authorization server to redeem the authorization code for the refresh token from the authorization server.