Token exchange support

docs/source/contents/conf.rst

@@ -178,6 +178,7 @@ An example::
         - implicit
         - urn:ietf:params:oauth:grant-type:jwt-bearer
         - refresh_token
+        - urn:ietf:params:oauth:grant-type:token-exchange
       claim_types_supported:
         - normal
         - aggregated
@@ -486,7 +487,8 @@ An example::
                         "supports_minting": ["access_token", "refresh_token"]
                     }
                 },
-                "expires_in": 43200
+                "expires_in": 43200,
+                "audience": ['https://www.example.com']
             }
         }
       },

docs/source/contents/usage.md

@@ -125,3 +125,44 @@ oidc-op will return a json response like this::
         "oLyRj7sJJ3XvAYjeDCe8rQ"
       ]
     }
+
+Token exchange
+-------------
+
+Here an example about how to exchange an access token for a new access token.
+
+    import requests
+
+    CLIENT_ID = "DBP60x3KUQfCYWZlqFaS_Q"
+    CLIENT_SECRET="8526270403788522b2444e87ea90c53bcafb984119cec92eeccc12f1"
+    SUBJECT_TOKEN="Z0FBQUFkF3czZRU...BfdTJkQXlCSm55cVpxQ1A0Y0RkWEtQTT0="
+    REQUESTED_TOKEN_TYPE="urn:ietf:params:oauth:token-type:access_token"
+
+    data = {
+        "grant_type" : "urn:ietf:params:oauth:grant-type:token-exchange",
+        "requested_token_type" : f"{REQUESTED_TOKEN_TYPE}",
+        "client_id" : f"{CLIENT_ID}",
+        "client_secret" : f"{CLIENT_SECRET}",
+        "subject_token" : f"{SUBJECT_TOKEN}"
+    }
+    headers = {'Content-Type': "application/x-www-form-urlencoded" }
+    response = requests.post(
+        'https://snf-19725.ok-kno.grnetcloud.net/OIDC/token', verify=False, data=data, headers=headers
+    )
+
+oidc-op will return a json response like this::
+
+    {
+        "access_token": "eyJhbGciOiJFUzI1NiIsI...Bo6aQcOKEN-1U88jjKxLb-9Q",
+        "scope": "openid email",
+        "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
+        "expires_in": 86400
+    }
+
+In order to request a refresh token the value of `requested_token_type` should be set to
+`urn:ietf:params:oauth:token-type:refresh_token`.
+
+The [RFC-8693](https://datatracker.ietf.org/doc/html/rfc8693) describes the `audience` parameter that 
+defines the authorized targets of a token exchange request.
+If `subject_token = urn:ietf:params:oauth:token-type:refresh_token` then `audience` should not be
+included in the token exchange request. 

docs/source/index.rst

@@ -21,6 +21,7 @@ Idpy OIDC-op implements the following standards:
 * `OpenID Connect Back-Channel Logout 1.0 <https://openid.net/specs/openid-connect-backchannel-1_0.html>`_
 * `OpenID Connect Front-Channel Logout 1.0 <https://openid.net/specs/openid-connect-frontchannel-1_0.html>`_
 * `OAuth2 Token introspection <https://tools.ietf.org/html/rfc7662>`_
+* `OAuth2 Token exchange <https://datatracker.ietf.org/doc/html/rfc8693>`_
 
 
 It also comes with the following `add_on` modules.

src/oidcop/oauth2/introspection.py

@@ -115,7 +115,10 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs
         _resp.update(_info)
         _resp.weed()
 
-        _claims_restriction = grant.claims.get("introspection")
+        _claims_restriction = _context.claims_interface.get_claims(
+            _session_info["session_id"], scopes=_token.scope, claims_release_point="introspection"
+        )
+
         if _claims_restriction:
             user_info = _context.claims_interface.get_user_claims(
                 _session_info["user_id"], _claims_restriction

src/oidcop/oauth2/token.py

@@ -68,7 +68,7 @@ def _mint_token(
             token_args = meth(_context, client_id, token_args)
 
         if token_args:
-            _args = {"token_args": token_args}
+            _args = token_args
         else:
             _args = {}