Token exchange

api/api.yaml

@@ -97,6 +97,9 @@ paths:
       parameters:
         - $ref: '#/components/parameters/QueryState'
         - $ref: '#/components/parameters/ClientId'
+        - $ref: '#/components/parameters/Scope'
+        - $ref: '#/components/parameters/RequestMode'
+        - $ref: '#/components/parameters/RedirectPath'
       operationId: StartSIOPSameDevice
       summary: Starts the siop flow for credentials hold by the same device
       description: When the credential is already present in the requesting browser, the same-device flow can be used. It creates the login information and then redirects to the /authenticationresponse path.
@@ -153,7 +156,6 @@ paths:
       responses:
         '204':  
           description: Ok when it worked
-
   /token:
     post:
       tags:
@@ -302,6 +304,14 @@ components:
       schema:
         type: string
         example: https://my-app.com/request.jwt
+    RedirectPath:
+      name: redirect_path
+      description: If no redirect path is provided, an 'oid4vp' deeplink will be returned
+      in: query
+      required: false
+      schema:
+        type: string
+        example: /
     VpToken:
       name: vp_token
       description: base64URLEncoded VerifiablePresentation
@@ -600,7 +610,7 @@ components:
       properties:
         grant_type: 
           type: string
-          enum: ["authorization_code"]
+          enum: ["authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange"]
         code:
           type: string
           example: myRandomString
@@ -609,15 +619,43 @@ components:
           format: uri
           description: Same uri as provided as callback in the original request.
           example: https://my-portal.com/auth_callback
+        resource:
+          type: string
+          format: uri
+          description: A URI that indicates the target service or resource where the client intends to use the requested security token. Resource 
+            is ignored if the target client is provided as path parameter
+        audience:
+          type: string
+          description: The logical name of the target service where the client intends to use the requested security token.
+        scope:
+          type: array
+          items:
+            type: string
+          description:  A list of space-delimited, case-sensitive strings, that allow the client to specify the desired scope of the requested security token in the context of the service or resource where the token will be used.
+        requested_token_type:
+          type: string
+          description:  An identifier, for the type of the requested security token.
+          enum: ["urn:ietf:params:oauth:token-type:access_token"]
+        subject_token:
+          type: string
+          description: A security token that represents the identity of the party on behalf of whom the request is being made.
+        subject_token_type:
+          type: string
+          description: An identifier that indicates the type of the security token in the subject_token parameter.
+          enum: ["urn:eu:oidf:vp_token"]
+      required:
+        - grant_type
     TokenResponse:
       type: object
       properties:
         token_type:
           type: string
           enum: ["Bearer"]
+        issued_token_type:
+          type: string
+          enum: ["urn:ietf:params:oauth:token-type:access_token"]
         expires_in: 
           type: number
           example: 3600
         access_token:
           type: string
-

common/metadata.go

@@ -2,6 +2,9 @@ package common
 
 const TYPE_CODE = "authorization_code"
 const TYPE_VP_TOKEN = "vp_token"
+const TYPE_TOKEN_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange"
+const TYPE_VP_TOKEN_SUBJECT = "urn:eu:oidf:vp_token"
+const TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token"
 
 type OpenIDProviderMetadata struct {
 	Issuer                                 string   `json:"issuer"`

config/configClient.go

@@ -40,9 +40,10 @@ type ServicesResponse struct {
 
 type ConfiguredService struct {
 	// Default OIDC scope to be used if none is specified
-	DefaultOidcScope string                `json:"defaultOidcScope" mapstructure:"defaultOidcScope"`
-	ServiceScopes    map[string]ScopeEntry `json:"oidcScopes" mapstructure:"oidcScopes"`
-	Id               string                `json:"id" mapstructure:"id"`
+	DefaultOidcScope  string                `json:"defaultOidcScope" mapstructure:"defaultOidcScope"`
+	ServiceScopes     map[string]ScopeEntry `json:"oidcScopes" mapstructure:"oidcScopes"`
+	Id                string                `json:"id" mapstructure:"id"`
+	AuthorizationPath string                `json:"authorizationPath,omitempty" mapstructure:"authorizationPath,omitempty"`
 }
 
 type ScopeEntry struct {

config/configClient_test.go

@@ -2,7 +2,7 @@ package config
 
 import (
 	"io"
-	"io/ioutil"
+	"os"
 	"strings"
 	"testing"
 
@@ -20,7 +20,7 @@ func (mhc MockHttpClient) Get(url string) (resp *http.Response, err error) {
 }
 
 func readFile(filename string, t *testing.T) string {
-	data, err := ioutil.ReadFile("data/" + filename)
+	data, err := os.ReadFile("data/" + filename)
 	if err != nil {
 		t.Error("could not read file", err)
 	}