fix(core): remove the requirement of secured app for PAT (#6493)

packages/core/src/oidc/grants/token-exchange/index.ts

@@ -25,7 +25,7 @@ import { handleClientCertificate, handleDPoP, checkOrganizationAccess } from '..
 
 import { validateSubjectToken } from './account.js';
 import { handleActorToken } from './actor-token.js';
-import { TokenExchangeTokenType, type TokenExchangeAct } from './types.js';
+import { type TokenExchangeAct } from './types.js';
 
 const { InvalidClient, InvalidGrant } = errors;
 
@@ -67,12 +67,6 @@ export const buildHandler: (
     !(await isThirdPartyApplication(queries, client.clientId)),
     new InvalidClient('third-party applications are not allowed for this grant type')
   );
-  // Personal access tokens require secured client
-  assertThat(
-    params.subject_token_type !== TokenExchangeTokenType.PersonalAccessToken ||
-      client.tokenEndpointAuthMethod === 'client_secret_basic',
-    new InvalidClient('third-party applications are not allowed for this grant type')
-  );
 
   validatePresence(ctx, ...requiredParameters);
 

packages/integration-tests/src/tests/api/oidc/token-exchange/personal-access-token.test.ts

@@ -140,20 +140,6 @@ describe('Token Exchange (Personal Access Token)', () => {
     expect(payload).toHaveProperty('sub', testUserId);
   });
 
-  it('should fail with non-secure client authentication method', async () => {
-    await expect(
-      oidcApi.post('token', {
-        headers: formUrlEncodedHeaders,
-        body: new URLSearchParams({
-          client_id: testApiResourceId,
-          grant_type: GrantType.TokenExchange,
-          subject_token: testToken,
-          subject_token_type: tokenType,
-        }),
-      })
-    ).rejects.toThrow();
-  });
-
   it('should fail with invalid PAT', async () => {
     await expect(
       oidcApi.post('token', {