Allow custom implementations of OAuth 2.0 Token Exchange
Summary
RFC 8693 defines a new OAuth2.0 grant type called "Token Exchange", this grant lets OAuth2.0 (in our case OIDC) clients exchange tokens. This sort of feature is used:
- By some competitors to exchange IDP-provided tokens (usually big platforms) for a local (in our case LLNG) token, or the other way around.
- By specs such as https://openid.net/specs/openid-connect-native-sso-1_0.html
- By LLNG users to implement special use cases (exchange legacy app tokens for a proper JWT Access Token)
Design proposition
For now, we won't implement 1/ or 2/ but we should let users implement 3/ with a hook
-
Add urn:ietf:params:oauth:grant-type:token-exchange to supported
grant_type
values insub token
-
In this method, only call a hook for now
-
If the hook set
$req->response
returns PE_SENDRESPONSE, send$req->response
-
If the hook returns PE_OK, try the next hook
-
After trying all hooks, if the final response is
PE_OK
, return an error for now. -
In the future, we can implement native-sso or IDP token exchange after running hooks if no hook has handled the request already.