Add support for Connection Access Token

[frederikprijck]

📋 Changes

This PR adds support for getFederatedConnectionAccessToken({ connection: string; login_hint?: string }), which can be used to obtain federated connection access token using the oauth/token endpoint.

In order to retrieve a federated connection access token, we call oauth/token using the following payload:

{
  "connection": "<connection(e.g. google-oauth2)>",
  "subject_token_type": "urn:ietf:params:oauth:token-type:refresh_token",
  "subject_token": "<refresh_token>",
  "requested_token_type": "http://auth0.com/oauth/token-type/federated-connection-access-token",
  "client_id": "<client_id>",
  "client_secret": "<client_secret>",
  "grant_type": "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token"
}

The retrieved token will also be stored in the session store, comparable to regular session information.

Stateless
As the browser has a limit to the size of the cookie, each federated connection access token is stored in its own cookie, using the __FC_{index} name.

When an application needs to us many access tokens, it's recommended to consider using a stateful session store.

Stateful
For the stateful session store, nothing changes other than the fact that the provided SessionData, now has an additional federatedConnectionTokenSets property, being either undefined, or an array of FederatedConnectionTokenSet.

Just like getAccessToken(), the newly added getFederatedConnectionAccessToken() can not write to the cookies when called from a Server Component, and will log a warning when either of these two methods are called from such Server Component.

📎 References

N/A

🎯 Testing

I have tested this against the only environment that has the feature enabled, and I ensured the following scenario's:

• When not logged in, calling getFederatedConnectionAccessToken throws the MISSING_REFRESH_TOKEN error.
• When logged in, and no Federated Connection Access Token is in the cache, a call to oauth/token is mad, the resulting access token is stored in the stateless or stateful session store and returned.
• When logged in, and a non expired Federated Connection Access token is in the cache, no call to oauth/token is made, and the access token from the cache is returned.
• When logged in, and an expired Federated Connection Access token is in the cache, a call to oauth/token is mad, the resulting access token is stored in the stateless or stateful session store and returned.
• When logging out, the __FC cookies are also removed.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 46.68990% with 153 lines in your changes missing coverage. Please review.

Project coverage is 74.67%. Comparing base (b92c9bf) to head (ae94e85).

Files with missing lines	Patch %	Lines
src/server/client.ts	0.00%	105 Missing ⚠️
src/server/session/stateless-session-store.ts	39.74%	47 Missing ⚠️
src/server/auth-client.ts	98.91%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2010      +/-   ##
==========================================
- Coverage   77.60%   74.67%   -2.94%     
==========================================
  Files          21       21              
  Lines        1612     1848     +236     
  Branches      262      283      +21     
==========================================
+ Hits         1251     1380     +129     
- Misses        354      461     +107     
  Partials        7        7              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[frederikprijck]

Created a new branch as there were many conflicts, did another round of manual testing and everything seems to work like before resolving the conflicts 👍