Support JWT as an Authorization Grant for client

[jgrandja]

This feature will partially implement JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.

Section 2.1. Using JWTs as Authorization Grants will be the focus for this feature implementation.

JWT Bearer Token can be used to request
an access token when a client wishes to utilize an existing trust
relationship, expressed through the semantics of the JWT, without a
direct user-approval step at the authorization server

One of the primary use cases for using a JWT as an authorization grant is to exchange it for another JWT (at the Token Endpoint) with narrowed scope. This is useful when a service (a) wants to call another downstream service (b) with only scope that service (b) understands (supports).

NOTE: This ticket addresses client-side support only.

Related #5199 #8175

[gandrade]

Would be great have this feature targeting next milestone.

[jgrandja]

@gandrade We've been working hard on the upcoming 5.2.0 release (scheduled Sep 19), and it's looking like I won't be able to get to this feature in time. There have been quite a few other priority items that I've been working on.

It would likely be faster if someone from the community can provide a PR for this feature. Although this is not a trivial feature to implement, it would have a very similar implementation as #7013.

Would you be interested in submitting a PR for this feature? If not, I'll leave this up for someone in the community to pick up.

[ThomasVitale]

Hi @jgrandja, if someone was available to support me in clarifying and reviewing the technical design for this feature, then I would like to work on it. I am already familiar with the OAuth 2.0 specs and work daily on security features for enterprise applications. But since it would be my first feature-size task on this project, I could use some guidance.