Add access keys custom claims

src/main/java/com/descope/model/auth/AccessKeyLoginOptions.java

@@ -0,0 +1,15 @@
+package com.descope.model.auth;
+
+import java.util.Map;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class AccessKeyLoginOptions {
+  private Map<String, Object> customClaims;
+}

src/main/java/com/descope/sdk/auth/AuthenticationService.java

@@ -1,6 +1,7 @@
 package com.descope.sdk.auth;
 
 import com.descope.exception.DescopeException;
+import com.descope.model.auth.AccessKeyLoginOptions;
 import com.descope.model.jwt.Token;
 import com.descope.model.user.response.UserHistoryResponse;
 import com.descope.model.user.response.UserResponse;
@@ -50,6 +51,16 @@ Token validateAndRefreshSessionWithTokens(String sessionToken, String refreshTok
    */
   Token exchangeAccessKey(String accessKey) throws DescopeException;
 
+  /**
+   * Use to exchange an access key for a session token with login options.
+   *
+   * @param accessKey - Access Key
+   * @param loginOptions - {@link AccessKeyLoginOptions loginOptions}
+   * @return {@link Token Token}
+   * @throws DescopeException if there is an error
+   */
+  Token exchangeAccessKey(String accessKey, AccessKeyLoginOptions loginOptions) throws DescopeException;
+
   /**
    * Use to ensure that a validated session token has been granted the specified permissions. This
    * is a shortcut for validatePermissions(token, "", permissions)

src/main/java/com/descope/sdk/auth/impl/AuthenticationServiceImpl.java

@@ -7,9 +7,11 @@
 import static com.descope.literals.Routes.AuthEndPoints.LOG_OUT_ALL_LINK;
 import static com.descope.literals.Routes.AuthEndPoints.LOG_OUT_LINK;
 import static com.descope.literals.Routes.AuthEndPoints.ME_LINK;
+import static com.descope.utils.CollectionUtils.mapOf;
 
 import com.descope.exception.DescopeException;
 import com.descope.exception.ServerCommonException;
+import com.descope.model.auth.AccessKeyLoginOptions;
 import com.descope.model.auth.AuthenticationInfo;
 import com.descope.model.auth.ExchangeTokenRequest;
 import com.descope.model.client.Client;
@@ -71,10 +73,19 @@ public Token validateAndRefreshSessionWithTokens(String sessionToken, String ref
 
   @Override
   public Token exchangeAccessKey(String accessKey) throws DescopeException {
+    return exchangeAccessKey(accessKey, null);
+  }
+
+  @Override
+  public Token exchangeAccessKey(String accessKey, AccessKeyLoginOptions loginOptions) throws DescopeException {
+    if (StringUtils.isBlank(accessKey)) {
+      throw ServerCommonException.invalidArgument("accessKey");
+    }
     ApiProxy apiProxy = getApiProxy(accessKey);
     URI exchangeAccessKeyLinkURL = composeExchangeAccessKeyLinkURL();
 
-    JWTResponse jwtResponse = apiProxy.post(exchangeAccessKeyLinkURL, null, JWTResponse.class);
+    JWTResponse jwtResponse = apiProxy.post(exchangeAccessKeyLinkURL,
+        mapOf("loginOptions", loginOptions), JWTResponse.class);
     AuthenticationInfo authenticationInfo = getAuthenticationInfo(jwtResponse);
     return authenticationInfo.getToken();
   }

src/test/java/com/descope/sdk/auth/impl/AuthenticationServiceImplTest.java

@@ -1,6 +1,7 @@
 package com.descope.sdk.auth.impl;
 
 import static com.descope.sdk.TestUtils.MOCK_TOKEN;
+import static com.descope.utils.CollectionUtils.mapOf;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -9,22 +10,26 @@
 
 import com.descope.enums.DeliveryMethod;
 import com.descope.exception.RateLimitExceededException;
+import com.descope.model.auth.AccessKeyLoginOptions;
 import com.descope.model.auth.AuthenticationInfo;
 import com.descope.model.auth.AuthenticationServices;
 import com.descope.model.client.Client;
 import com.descope.model.jwt.Token;
+import com.descope.model.mgmt.AccessKeyResponse;
 import com.descope.model.mgmt.ManagementServices;
 import com.descope.model.user.request.UserRequest;
 import com.descope.model.user.response.OTPTestUserResponse;
 import com.descope.model.user.response.UserResponse;
 import com.descope.sdk.TestUtils;
 import com.descope.sdk.auth.AuthenticationService;
 import com.descope.sdk.auth.OTPService;
+import com.descope.sdk.mgmt.AccessKeyService;
 import com.descope.sdk.mgmt.RolesService;
 import com.descope.sdk.mgmt.TenantService;
 import com.descope.sdk.mgmt.UserService;
 import com.descope.sdk.mgmt.impl.ManagementServiceBuilder;
 import java.util.Arrays;
+import java.util.Map;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junitpioneer.jupiter.RetryingTest;
@@ -36,6 +41,7 @@ public class AuthenticationServiceImplTest {
   private OTPService otpService;
   private RolesService roleService;
   private TenantService tenantService;
+  private AccessKeyService accessKeyService;
 
   @BeforeEach
   void setUp() {
@@ -47,6 +53,7 @@ void setUp() {
     this.userService = mgmtServices.getUserService();
     this.roleService = mgmtServices.getRolesService();
     this.tenantService = mgmtServices.getTenantService();
+    this.accessKeyService = mgmtServices.getAccessKeyService();
   }
 
   @Test
@@ -122,4 +129,17 @@ void testFunctionalFullCycle() throws Exception {
     authenticationService.logout(authInfo.getRefreshToken().getJwt());
     userService.delete(loginId);
   }
+
+  @RetryingTest(value = 3, suspendForMs = 30000, onExceptions = RateLimitExceededException.class)
+  void testFunctionalExchangeToken() throws Exception {
+    String name = TestUtils.getRandomName("ak-");
+    AccessKeyResponse resp = accessKeyService.create(name, 0, null, null);
+    Token token = authenticationService.exchangeAccessKey(resp.getCleartext(),
+        new AccessKeyLoginOptions(mapOf("kuku", "kiki")));
+    // temporary
+    @SuppressWarnings("unchecked")
+    Map<String, Object> nsecClaims = Map.class.cast(token.getClaims().get("nsec"));
+    assertEquals("kiki", nsecClaims.get("kuku"));
+    accessKeyService.delete(resp.getKey().getId());
+  }
 }