Add OAuth resource indicator support

[m1234567898]

Summary

Adds backward-compatible OAuth Resource Indicators support RFC 8707:

• accepts optional resource on authorization and token requests
• stores resource on authorization codes, access tokens, and PAR requests
• carries resource from authorization code/refresh flows into minted tokens
• rejects mismatched requested resources with invalid_target
• exposes resource and aud in introspection responses
• adds a resource-aware access token authorization helper

Why

• Model Context Protocol MCP authorization is being modeled off of the draft for oauth 2.1 and resource is a critical component for ensuring Principle of Least Privilege is applied.
• In pursuing implementing this oauth strategy for our own purposes it seemed appropriate for the resource piece to belong to Boruta.

More About Resource

When requesting a token, the client can indicate the desired target service(s) where it intends to use that token by way of the resource parameter and can indicate the desired scope of the requested token using the scope parameter. The semantics of such a request are that the client is asking for a token with the requested scope that is usable at all the requested target services. Effectively, the requested access rights of the token are the cartesian product of all the scopes at all the target services.

[patatoid]

Hi @m1234567898

I hope I was not too long to reply.

I would like to thank for the contribution which look great at first sight, resources are a components for better security. Along with the usage of a scope parameter it gives means to restrict the audience of authorization while authorizing semantics of the scope of use of the access tokens. Looks great!

I left comments, still hoping it helps.

[patatoid]

Note the issues with the continuous integration, I am still investigating having opened an issue on jose repository potatosalad/erlang-jose#191. To be continued, I'll keep you posted.

[patatoid]

There are still issues with jose / joken versions in continuous integration I'll try to fix later on.

Thank you for the contribution, it definitely looks good.

Hoping, your use case works as expected, the standalone version will benefit from this.

[patatoid]

@m1234567898 Have a look to malach-it/boruta-server#153, it helps to have auditable code chains in agents to agents interactions while request user/holder authentication when needed. It helps obtaining scoped access tokens. May it help?

[m1234567898]

@m1234567898 Have a look to malach-it/boruta-server#153, it helps to have auditable code chains in agents to agents interactions while request user/holder authentication when needed. It helps obtaining scoped access tokens. May it help?

That looks very helpful! Thank you for helping me get this in so quickly @patatoid