@spec exchange(keyword()) :: {:ok, map()} | {:error, term()}

Performs a generic RFC 8693 token exchange.

Options

• :token_endpoint (required) - The token endpoint URL
• :subject_token (required) - The token to exchange
• :subject_token_type (required) - Type URI of the subject token
• :requested_token_type - Type URI of the desired token
• :audience - Target audience for the exchanged token
• :scope - Requested scope
• :resource - Target resource URI
• :actor_token - Token representing the acting party
• :actor_token_type - Type URI of the actor token
• :client_id - Client identifier
• :client_secret - Client secret for authentication

@spec exchange_id_token_for_id_jag(keyword()) :: {:ok, map()} | {:error, term()}

Exchanges an OIDC ID token for an ID-JAG at the IdP's token endpoint.

This is Step 2 in the enterprise-managed authorization flow.

Options

• :token_endpoint (required) - The IdP's token endpoint
• :id_token (required) - The OIDC ID token to exchange
• :audience (required) - The authorization server's issuer URI
• :resource - The MCP server resource URI
• :client_id - Client identifier at the IdP
• :scope - Requested scope for the ID-JAG

Returns the token exchange grant type URI.

Returns the access token type URI.

Returns the ID token type URI.

Returns the ID-JAG token type URI.