Support for Token Exchange (RFC 8693)?

[maia-iyer]

Is your feature request related to a problem? Please describe.

I'm implementing a multitenant server that needs to call other resources secured by the same auth server. I want this multitenant server to perform token exchange for down-scoped tokens to access those other resources. I notice under oauth2 folder, there is an rfc8693 folder, but there is seemingly no implementation.

Describe the solution you'd like

I would like the rfc8693 to be implemented.

Describe alternatives you've considered

I could implement it myself, but figure this could be useful to others. I'm curious what the timeline is for this, or if it is even planned.

[azmeuk]

Hello. Thank you for your feature request.

Indeed there is a stub module for rfc8693 that have been created back in 2020. Currently there is no plan for the implementation of this RFC, this may come someday but we don't know when. In the meantime, we would thankfully accept a PR for that.

If you want to tackle this, please keep in mind that the Authlib design for authorization server is modular. We try to keep the business logic of RFC in dedicated modules, so make sure you fit all the logic in the rfc8693 module, and use the hook/extension mechanism from the rfc6749 module to execute the code at the right places/moment. You might add hooks if needed, or discuss refactoring if your implementation needs it. Don't forget to document the rfc, possibly with examples, and add unit tests with 100% coverage.

If you want to implement the client side too, that can be in a dedicated PR, so one can get merged while the other is still in review, and that would avoing mixing discussions.

Also to help the review, you can add citations of the RFC that describe behaviors in the code, for example:

https://github.com/authlib/authlib/blob/72a00e74b684180d6c85594c6c19c1b13186a210/authlib/oauth2/rfc9101/authorization_server.py#L98-L105