Update docs for Token Exchange

sjohnr · sjohnr · commit e7a0c06f62d1 · 2024-04-12T15:54:28.000-05:00
Issue spring-projectsgh-60
diff --git a/docs/modules/ROOT/pages/core-model-components.adoc b/docs/modules/ROOT/pages/core-model-components.adoc
@@ -85,7 +85,7 @@ public class RegisteredClient implements Serializable {
 <5> `clientSecretExpiresAt`: The time at which the client secret expires.
 <6> `clientName`: A descriptive name used for the client. The name may be used in certain scenarios, such as when displaying the client name in the consent page.
 <7> `clientAuthenticationMethods`: The authentication method(s) that the client may use. The supported values are `client_secret_basic`, `client_secret_post`, https://datatracker.ietf.org/doc/html/rfc7523[`private_key_jwt`], `client_secret_jwt`, and `none` https://datatracker.ietf.org/doc/html/rfc7636[(public clients)].
-<8> `authorizationGrantTypes`: The https://datatracker.ietf.org/doc/html/rfc6749#section-1.3[authorization grant type(s)] that the client can use. The supported values are `authorization_code`, `client_credentials`, `refresh_token`, and `urn:ietf:params:oauth:grant-type:device_code`.
+<8> `authorizationGrantTypes`: The https://datatracker.ietf.org/doc/html/rfc6749#section-1.3[authorization grant type(s)] that the client can use. The supported values are `authorization_code`, `client_credentials`, `refresh_token`, `urn:ietf:params:oauth:grant-type:device_code`, and `urn:ietf:params:oauth:grant-type:token-exchange`.
 <9> `redirectUris`: The registered https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2[redirect URI(s)] that the client may use in redirect-based flows – for example, `authorization_code` grant.
 <10> `postLogoutRedirectUris`: The post logout redirect URI(s) that the client may use for logout.
 <11> `scopes`: The scope(s) that the client is allowed to request.
diff --git a/docs/modules/ROOT/pages/overview.adoc b/docs/modules/ROOT/pages/overview.adoc
@@ -36,6 +36,7 @@ Spring Authorization Server supports the following features:
 * Refresh Token
 * Device Code
 ** xref:protocol-endpoints.adoc#oauth2-device-verification-endpoint[User Consent]
+* Token Exchange
 |
 * The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
 ** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.1[Authorization Code Grant]
@@ -46,6 +47,8 @@ Spring Authorization Server supports the following features:
 * OAuth 2.0 Device Authorization Grant
 (https://tools.ietf.org/html/rfc8628[spec])
 ** https://tools.ietf.org/html/rfc8628#section-3[Device Flow]
+* OAuth 2.0 Token Exchange (https://datatracker.ietf.org/doc/html/rfc8693[spec])
+** https://datatracker.ietf.org/doc/html/rfc8693#section-2[Token Exchange Flow]
 
 |xref:core-model-components.adoc#oauth2-token-generator[Token Formats]
 |
diff --git a/docs/modules/ROOT/pages/protocol-endpoints.adoc b/docs/modules/ROOT/pages/protocol-endpoints.adoc
@@ -257,7 +257,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 `OAuth2TokenEndpointConfigurer` configures the `OAuth2TokenEndpointFilter` and registers it with the OAuth2 authorization server `SecurityFilterChain` `@Bean`.
 `OAuth2TokenEndpointFilter` is the `Filter` that processes OAuth2 access token requests.
 
-The supported https://datatracker.ietf.org/doc/html/rfc6749#section-1.3[authorization grant types] are `authorization_code`, `refresh_token`, `client_credentials`, and `urn:ietf:params:oauth:grant-type:device_code`.
+The supported https://datatracker.ietf.org/doc/html/rfc6749#section-1.3[authorization grant types] are `authorization_code`, `refresh_token`, `client_credentials`, `urn:ietf:params:oauth:grant-type:device_code`, and `urn:ietf:params:oauth:grant-type:token-exchange`.
 
 `OAuth2TokenEndpointFilter` is configured with the following defaults:
 
