Summary
The getTokenExchangeRequest function in sdk/auth/oauth/oauth.go was missing the
subject_token_type parameter from the token exchange POST body.
RFC 8693 §2.1 defines subject_token_type as a required parameter when
grant_type is urn:ietf:params:oauth:grant-type:token-exchange. Authorization
servers such as Keycloak reject the request with a 400 error when it is absent.
Summary
The
getTokenExchangeRequestfunction insdk/auth/oauth/oauth.gowas missing thesubject_token_typeparameter from the token exchange POST body.RFC 8693 §2.1 defines
subject_token_typeas a required parameter whengrant_typeisurn:ietf:params:oauth:grant-type:token-exchange. Authorizationservers such as Keycloak reject the request with a 400 error when it is absent.