feat: Allow access token grant type for federated connections

src/server/auth-client.ts

@@ -26,6 +26,7 @@ import {
   LogoutToken,
   SessionData,
   StartInteractiveLoginOptions,
+  SUBJECT_TOKEN_TYPES,
   TokenSet,
   User
 } from "../types/index.js";
@@ -80,15 +81,6 @@ const DEFAULT_SCOPES = ["openid", "profile", "email", "offline_access"].join(
 const GRANT_TYPE_FEDERATED_CONNECTION_ACCESS_TOKEN =
   "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token";
 
-/**
- * Constant representing the subject type for a refresh token.
- * This is used in OAuth 2.0 token exchange to specify that the token being exchanged is a refresh token.
- *
- * @see {@link https://tools.ietf.org/html/rfc8693#section-3.1 RFC 8693 Section 3.1}
- */
-const SUBJECT_TYPE_REFRESH_TOKEN =
-  "urn:ietf:params:oauth:token-type:refresh_token";
-
 /**
  * A constant representing the token type for federated connection access tokens.
  * This is used to specify the type of token being requested from Auth0.
@@ -1159,7 +1151,11 @@ export class AuthClient {
       const params = new URLSearchParams();
 
       params.append("connection", options.connection);
-      params.append("subject_token_type", SUBJECT_TYPE_REFRESH_TOKEN);
+      params.append(
+        "subject_token_type",
+        options.subject_token_type ||
+          SUBJECT_TOKEN_TYPES.SUBJECT_TYPE_REFRESH_TOKEN
+      );
       params.append("subject_token", tokenSet.refreshToken);
       params.append(
         "requested_token_type",

src/types/index.ts

@@ -88,7 +88,10 @@ export type {
   SessionStoreOptions
 } from "../server/session/abstract-session-store.js";
 
-export type { CookieOptions, ReadonlyRequestCookies } from "../server/cookies.js";
+export type {
+  CookieOptions,
+  ReadonlyRequestCookies
+} from "../server/cookies.js";
 
 export type {
   TransactionStoreOptions,
@@ -130,6 +133,22 @@ export interface AuthorizationParameters {
   [key: string]: unknown;
 }
 
+export enum SUBJECT_TOKEN_TYPES {
+  /**
+   * Indicates that the token is an OAuth 2.0 refresh token issued by the given authorization server.
+   *
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc8693#section-3-3.4 RFC 8693 Section 3-3.4}
+   */
+  SUBJECT_TYPE_REFRESH_TOKEN = "urn:ietf:params:oauth:token-type:refresh_token",
+
+  /**
+   * Indicates that the token is an OAuth 2.0 access token issued by the given authorization server.
+   *
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc8693#section-3-3.2 RFC 8693 Section 3-3.2}
+   */
+  SUBJECT_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token"
+}
+
 /**
  * Options for retrieving a connection access token.
  */
@@ -143,6 +162,17 @@ export interface AccessTokenForConnectionOptions {
    * An optional login hint to pass to the authorization server.
    */
   login_hint?: string;
+
+  /**
+   * The type of token that is being exchanged.
+   *
+   * Uses the {@link SUBJECT_TOKEN_TYPES} enum with the following allowed values:
+   * - `SUBJECT_TYPE_REFRESH_TOKEN`: `"urn:ietf:params:oauth:token-type:refresh_token"`
+   * - `SUBJECT_TYPE_ACCESS_TOKEN`: `"urn:ietf:params:oauth:token-type:access_token"`
+   *
+   * Defaults to `SUBJECT_TYPE_REFRESH_TOKEN`.
+   */
+  subject_token_type?: SUBJECT_TOKEN_TYPES;
 }
 
 /**