feat: Token Exchange (RFC 8693) (#255)

This change implements OAuth2 Token Exchange in OP according to RFC 8693 (and client code) Some implementation details: - OP parses and verifies subject/actor tokens natively if they were issued by OP - Third-party tokens verification is also possible by implementing additional storage interface - Token exchange can issue only OP's native tokens (id_token, access_token and refresh_token) with static issuer
2023-02-19 14:57:46 +01:00 · 2023-02-19 14:57:46 +01:00 · 8e298791d7
commit 8e298791d7
parent 9291ca9908
16 changed files with 961 additions and 59 deletions
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -40,6 +40,29 @@ var AllGrantTypes = []GrantType{

 type GrantType string

+const (
+	AccessTokenType  TokenType = "urn:ietf:params:oauth:token-type:access_token"
+	RefreshTokenType TokenType = "urn:ietf:params:oauth:token-type:refresh_token"
+	IDTokenType      TokenType = "urn:ietf:params:oauth:token-type:id_token"
+	JWTTokenType     TokenType = "urn:ietf:params:oauth:token-type:jwt"
+)
+
+var AllTokenTypes = []TokenType{
+	AccessTokenType, RefreshTokenType, IDTokenType, JWTTokenType,
+}
+
+type TokenType string
+
+func (t TokenType) IsSupported() bool {
+	for _, tt := range AllTokenTypes {
+		if t == tt {
+			return true
+		}
+	}
+
+	return false
+}
+
 type TokenRequest interface {
 	// GrantType GrantType `schema:"grant_type"`
 	GrantType() GrantType
@ -203,14 +226,15 @@ func (j *JWTTokenRequest) GetScopes() []string {
 }

 type TokenExchangeRequest struct {
-	subjectToken       string              `schema:"subject_token"`
-	subjectTokenType   string              `schema:"subject_token_type"`
-	actorToken         string              `schema:"actor_token"`
-	actorTokenType     string              `schema:"actor_token_type"`
-	resource           []string            `schema:"resource"`
-	audience           Audience            `schema:"audience"`
-	Scope              SpaceDelimitedArray `schema:"scope"`
-	requestedTokenType string              `schema:"requested_token_type"`
+	GrantType          GrantType           `schema:"grant_type"`
+	SubjectToken       string              `schema:"subject_token"`
+	SubjectTokenType   TokenType           `schema:"subject_token_type"`
+	ActorToken         string              `schema:"actor_token"`
+	ActorTokenType     TokenType           `schema:"actor_token_type"`
+	Resource           []string            `schema:"resource"`
+	Audience           Audience            `schema:"audience"`
+	Scopes             SpaceDelimitedArray `schema:"scope"`
+	RequestedTokenType TokenType           `schema:"requested_token_type"`
 }

 type ClientCredentialsRequest struct {