test: add resource test cases for token exchange (#6216)

* feat(core): handle dpop and client certificate for token exchange

* refactor(core): refactor organizations in grants

* test: add resource test cases for token exchange

packages/integration-tests/src/tests/api/oidc/token-exchange.test.ts

@@ -207,6 +207,47 @@ describe('Token Exchange', () => {
     });
   });
 
+  describe('get access token for resource', () => {
+    it('should exchange an access token with resource as `aud`', async () => {
+      const { subjectToken } = await createSubjectToken(testUserId);
+
+      const { access_token } = await oidcApi
+        .post('token', {
+          headers: formUrlEncodedHeaders,
+          body: new URLSearchParams({
+            client_id: testApplicationId,
+            grant_type: GrantType.TokenExchange,
+            subject_token: subjectToken,
+            subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            resource: testApiResourceInfo.indicator,
+          }),
+        })
+        .json<{ access_token: string }>();
+
+      expect(getAccessTokenPayload(access_token)).toHaveProperty(
+        'aud',
+        testApiResourceInfo.indicator
+      );
+    });
+
+    it('should fail with invalid resource', async () => {
+      const { subjectToken } = await createSubjectToken(testUserId);
+
+      await expect(
+        oidcApi.post('token', {
+          headers: formUrlEncodedHeaders,
+          body: new URLSearchParams({
+            client_id: testApplicationId,
+            grant_type: GrantType.TokenExchange,
+            subject_token: subjectToken,
+            subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            resource: 'invalid_resource',
+          }),
+        })
+      ).rejects.toThrow();
+    });
+  });
+
   describe('get access token for organization', () => {
     const scopeName = `read:${randomString()}`;