diff --git a/packages/integration-tests/src/tests/api/oidc/token-exchange.test.ts b/packages/integration-tests/src/tests/api/oidc/token-exchange.test.ts index 92aefa80a..a6ec845f4 100644 --- a/packages/integration-tests/src/tests/api/oidc/token-exchange.test.ts +++ b/packages/integration-tests/src/tests/api/oidc/token-exchange.test.ts @@ -207,6 +207,47 @@ describe('Token Exchange', () => { }); }); + describe('get access token for resource', () => { + it('should exchange an access token with resource as `aud`', async () => { + const { subjectToken } = await createSubjectToken(testUserId); + + const { access_token } = await oidcApi + .post('token', { + headers: formUrlEncodedHeaders, + body: new URLSearchParams({ + client_id: testApplicationId, + grant_type: GrantType.TokenExchange, + subject_token: subjectToken, + subject_token_type: 'urn:ietf:params:oauth:token-type:access_token', + resource: testApiResourceInfo.indicator, + }), + }) + .json<{ access_token: string }>(); + + expect(getAccessTokenPayload(access_token)).toHaveProperty( + 'aud', + testApiResourceInfo.indicator + ); + }); + + it('should fail with invalid resource', async () => { + const { subjectToken } = await createSubjectToken(testUserId); + + await expect( + oidcApi.post('token', { + headers: formUrlEncodedHeaders, + body: new URLSearchParams({ + client_id: testApplicationId, + grant_type: GrantType.TokenExchange, + subject_token: subjectToken, + subject_token_type: 'urn:ietf:params:oauth:token-type:access_token', + resource: 'invalid_resource', + }), + }) + ).rejects.toThrow(); + }); + }); + describe('get access token for organization', () => { const scopeName = `read:${randomString()}`;