Token exchange for device sso clients

[rileyanderson]

Summary

• Token exchange for device sso clients

Related issue(s)

• Implement token exchange grant type for /token endpoint va.gov-team#82121
• Move sign_in_controller#token logic to service objects #16838

Testing

• Authenticate with SiS using a client that has api authentication and shared_sessions (vamobile will work)
• When you call /authorize send scope=device_sso param
• Call /token normally to get you tokens, you should receive a device_secret
• Exchange tokens by calling /token with:

  {
    "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
    "subject_token": "{access_token}",
    "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "actor_token": "{device_secret}",
    "actor_token_type": "urn:x-oath:params:oauth:token-type:device-secret",
    "client_id": "vaweb"
  }

• You should receive new tokens in the set-cookie header

What areas of the site does it impact?

Authentication

Acceptance criteria

• I fixed|updated|added unit tests and integration tests for each feature (if applicable).
• No error nor warning in the console.
• Events are being sent to the appropriate logging solution
• No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
• If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected

[github-actions]

1 Error

🚫

This PR changes 1143 LoC (not counting whitespace/newlines). In order to ensure each PR receives the proper attention it deserves, those exceeding 500 will not be reviewed, nor will they be allowed to merge. Please break this PR up into smaller ones. If you have reason to believe that this PR should be granted an exception, please see the Submitting pull requests for approval - FAQ. File Summary Files app/controllers/concerns/sign_in/audience_validator.rb (+1/-1) app/controllers/v0/sign_in_controller.rb (+1/-1) app/services/sign_in/client_assertion_validator.rb (+1/-1) app/services/sign_in/constants/auth.rb (+2/-3) app/services/sign_in/constants/urn.rb (+13/-0) app/services/sign_in/errors.rb (+4/-0) app/services/sign_in/session_spawner.rb (+124/-0) app/services/sign_in/token_exchanger.rb (+101/-0) app/services/sign_in/token_params_validator.rb (+19/-4) app/services/sign_in/token_response_generator.rb (+11/-0) modules/accredited_representative_portal/spec/requests/accredited_representative_portal/application_spec.rb (+1/-1) spec/controllers/sign_in/audience_validator_spec.rb (+1/-1) spec/controllers/v0/sign_in_controller_spec.rb (+272/-2) spec/services/sign_in/client_assertion_validator_spec.rb (+1/-1) spec/services/sign_in/code_validator_spec.rb (+1/-1) spec/services/sign_in/session_spawner_spec.rb (+239/-0) spec/services/sign_in/token_exchanger_spec.rb (+215/-0) spec/services/sign_in/token_params_validator_spec.rb (+73/-4) spec/services/sign_in/token_response_generator_spec.rb (+43/-0) Note: We exclude files matching the following when considering PR size: *.csv, *.json, *.tsv, *.txt, Gemfile.lock, app/swagger, modules/mobile/docs, spec/fixtures/, spec/support/vcr_cassettes/, modules/mobile/spec/support/vcr_cassettes/, db/seeds, modules/vaos/app/docs, modules/meb_api/app/docs, modules/appeals_api/app/swagger/, *.bru Big PRs are difficult to review, often become stale, and cause delays.

Generated by 🚫 Danger

[dickdavis]

LGTM, just a few questions and nitpick suggestions, but overall implementation looks solid.

[bosawt]

@dickdavis I believe I've addressed your comments, I made changes in response to all of them except the TokenParamValidator one since that's not actionable in this PR

[dickdavis]

Tested locally and works as expected

[gabezurita]

The one ARP change LGTM 😄

[ericboehs]

Code looking clean.