Add ID token support for token exchange

Introduce support for exchanging externally-issued OIDC
ID tokens for access tokens via the OAuth 2.0 Token
Exchange Grant per RFC 8693 Section 3.

- Add urn:ietf:params:oauth:token-type:id_token as a
  supported token type in the converter
- Add OAuth2TokenExchangeSubjectTokenResolver strategy
  interface for resolving external subject tokens
- Add OidcIdTokenSubjectTokenResolver as the default
  implementation using JwtDecoderFactory
- Modify OAuth2TokenExchangeAuthenticationProvider to
  delegate to the resolver before falling back to the
  authorization service
- Auto-wire the resolver bean in the configurer

Closes gh-19048

Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com>

Author: bkoragan

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -24,6 +24,7 @@
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
@@ -176,8 +177,10 @@ public void configure(H http) {
 		WebAuthnRelyingPartyOperations rpOperations = webAuthnRelyingPartyOperations(userEntities, userCredentials);
 		PublicKeyCredentialCreationOptionsRepository creationOptionsRepository = creationOptionsRepository();
 		WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter();
-		webAuthnAuthnFilter.setAuthenticationManager(
-				new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService)));
+		ProviderManager providerManager = new ProviderManager(
+				new WebAuthnAuthenticationProvider(rpOperations, userDetailsService));
+		getBeanOrNull(AuthenticationEventPublisher.class).ifPresent(providerManager::setAuthenticationEventPublisher);
+		webAuthnAuthnFilter.setAuthenticationManager(providerManager);
 		webAuthnAuthnFilter = postProcess(webAuthnAuthnFilter);
 		WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
 				rpOperations);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenEndpointConfigurer.java

@@ -40,6 +40,7 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceCodeAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeSubjectTokenResolver;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
@@ -271,6 +272,11 @@ private static List<AuthenticationProvider> createDefaultAuthenticationProviders
 
 		OAuth2TokenExchangeAuthenticationProvider tokenExchangeAuthenticationProvider = new OAuth2TokenExchangeAuthenticationProvider(
 				authorizationService, tokenGenerator);
+		OAuth2TokenExchangeSubjectTokenResolver subjectTokenResolver = OAuth2ConfigurerUtils
+			.getOptionalBean(httpSecurity, OAuth2TokenExchangeSubjectTokenResolver.class);
+		if (subjectTokenResolver != null) {
+			tokenExchangeAuthenticationProvider.setSubjectTokenResolver(subjectTokenResolver);
+		}
 		authenticationProviders.add(tokenExchangeAuthenticationProvider);
 
 		return authenticationProviders;