Token exchange support

[puug]

Basic implementation of token-exchange for the authorization server which address some of the points raised in #585

There's a couple of points worth discussing in this PR

• The approach of using a new AuthorizationProvider
• The flexibility vs ease of use of the TokenExchangeService which allows for all sorts of token support. I could supply a basic implementation which takes a username as the subject_token and looks up against a UserDetailsService, but it would only be for test & evaluation purposes.
• Should resource server support be included with this PR?

[pivotal-issuemaster]

@puug Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-issuemaster]

@puug Thank you for signing the Contributor License Agreement!

[jgrandja]

Hi @puug. I apologize for the delay in getting to review this PR.

As an FYI, we are limiting new features and only accepting bug fixes and minor enhancements as this project is in maintenance mode. Our efforts are focused on the new OAuth support we are building into Spring Security core project. We just released 5.0.0.M1 which provides support for the client-side and we hope to get to the server-side support soon.

We appreciate your efforts here but I'm going to close this PR as it does contain new classes and interfaces (TokenExchangeService) that we cannot merge into a patch release.

Please keep an eye out on the new OAuth support we are building into Spring Security 5.0.0 and we hope you can contribute there.
Thank you.