support issuing jwt authorization grant (jag) tokens

[havetisyan]

Description

support issuing jwt authorization grant (jag) tokens as described in #3100

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant new feature by enabling the ZTS server to issue JWT Authorization Grant (JAG) tokens. It involves updating core data models to reflect the new token type, implementing the server-side logic for processing token exchange requests, and enhancing token validation mechanisms. The changes ensure that the system can securely handle and issue these specialized tokens, complete with robust authorization checks and thorough test coverage.

Highlights

• JWT Authorization Grant (JAG) Token Support: Implemented support for issuing JWT Authorization Grant (JAG) tokens, as described in issue Identity Assertion Authorization Grant support in ZTS #3100, enabling a new token exchange flow.
• AccessTokenResponse Model Extension: The AccessTokenResponse model has been extended across Go, Java, and RDL schemas to include a new issued_token_type field, indicating the type of token issued.
• New Token Exchange Endpoint: A new endpoint handler, processAccessTokenJAGExchange, has been added to the ZTS server to process token exchange requests, validating subject tokens and issuing JAG-typed access tokens.
• Enhanced Token Validation and Authorization: The ZTS server now performs comprehensive validation of subject tokens and ensures the requesting principal is authorized for the token exchange, including mandatory scope validation.
• Comprehensive Unit Testing: Extensive unit tests have been added and updated to cover various success and failure scenarios for the new JAG token exchange functionality and IdToken validation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully adds support for issuing JWT Authorization Grant (JAG) tokens. The changes are comprehensive, touching client libraries, schema definitions, core authentication logic, and the server implementation. The new token exchange flow in ZTSImpl is well-implemented and accompanied by a thorough set of tests.

I have identified a critical typo in a constant name that would lead to an incorrect issued_token_type in the response. Additionally, I've provided a few suggestions to improve code style and error message clarity, which will enhance maintainability and debuggability. The refactoring in AccessTokenRequest.java to centralize client assertion validation is a notable improvement.