feat: service account token exchange

pkg/op/tokenrequest.go

@@ -3,11 +3,13 @@ package op
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 
 	"github.com/gorilla/schema"
 
 	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/rp"
 	"github.com/caos/oidc/pkg/utils"
 )
 
@@ -20,6 +22,11 @@ type Exchanger interface {
 	AuthMethodPostSupported() bool
 }
 
+type VerifyExchanger interface {
+	Exchanger
+	Verifier() rp.Verifier
+}
+
 func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenReq, err := ParseAccessTokenRequest(r, exchanger.Decoder())
 	if err != nil {
@@ -116,6 +123,33 @@ func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenReque
 	return authReq, nil
 }
 
+func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) {
+	assertion, err := ParseJWTTokenRequest(r, exchanger.Decoder())
+	if err != nil {
+		RequestError(w, r, err)
+	}
+	claims, err := exchanger.Verifier().Verify(r.Context(), "", assertion)
+	fmt.Println(claims, err)
+
+	_ = assertion
+}
+
+func ParseJWTTokenRequest(r *http.Request, decoder *schema.Decoder) (string, error) {
+	err := r.ParseForm()
+	if err != nil {
+		return "", ErrInvalidRequest("error parsing form")
+	}
+	tokenReq := new(struct {
+		Token string `schema:"assertion"`
+	})
+	err = decoder.Decode(tokenReq, r.Form)
+	if err != nil {
+		return "", ErrInvalidRequest("error decoding form")
+	}
+	//TODO: validations
+	return tokenReq.Token, nil
+}
+
 func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenRequest, err := ParseTokenExchangeRequest(w, r)
 	if err != nil {