Summary

Implement RFC 8693 OAuth 2.0 Token Exchange in a reusable interface that can be used by middleware and other components.

What We're Doing

Creating a token exchange implementation that follows the OAuth 2.0 Token Exchange specification (RFC 8693) to enable ToolHive to exchange incoming access tokens for backend-specific tokens when proxying MCP server requests.

Deliverables

• Token exchange client library implementing RFC 8693 specification
• Compatible with standard OAuth2 token source interfaces
• Configuration structure for token exchange parameters
• Comprehensive error handling for network and OAuth errors
• Security features including token redaction in logs and response validation
• Full unit test coverage

Acceptance Criteria

• Successfully exchanges subject tokens for backend tokens via RFC 8693
• Supports all required RFC 8693 parameters (grant_type, subject_token, subject_token_type, requested_token_type)
• Supports optional RFC 8693 parameters (audience, scope, resource, actor_token)
• Validates configuration before performing exchange
• Handles OAuth error responses according to RFC 6749
• Redacts sensitive tokens in all output