n8n 2.15.0 → 2.16.0

package/dist/modules/token-exchange/services/jti-store.service.js

@@ -0,0 +1,30 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JtiStoreService = void 0;
+const di_1 = require("@n8n/di");
+const token_exchange_jti_repository_1 = require("../database/repositories/token-exchange-jti.repository");
+const GRACE_PERIOD_MS = 60_000;
+let JtiStoreService = class JtiStoreService {
+    constructor(jtiRepository) {
+        this.jtiRepository = jtiRepository;
+    }
+    async consume(jti, expiresAt) {
+        const expiresAtWithGrace = new Date(expiresAt.getTime() + GRACE_PERIOD_MS);
+        return await this.jtiRepository.atomicConsume(jti, expiresAtWithGrace);
+    }
+};
+exports.JtiStoreService = JtiStoreService;
+exports.JtiStoreService = JtiStoreService = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [token_exchange_jti_repository_1.TokenExchangeJtiRepository])
+], JtiStoreService);
+//# sourceMappingURL=jti-store.service.js.map

package/dist/modules/token-exchange/services/jti-store.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jti-store.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/jti-store.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,gCAAkC;AAElC,0GAAoG;AAEpG,MAAM,eAAe,GAAG,MAAM,CAAC;AAmBxB,IAAM,eAAe,GAArB,MAAM,eAAe;IAC3B,YAA6B,aAAyC;QAAzC,kBAAa,GAAb,aAAa,CAA4B;IAAG,CAAC;IAS1E,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,SAAe;QACzC,MAAM,kBAAkB,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,eAAe,CAAC,CAAC;QAC3E,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,aAAa,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACxE,CAAC;CACD,CAAA;AAdY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,YAAO,GAAE;qCAEmC,0DAA0B;GAD1D,eAAe,CAc3B"}

package/dist/modules/token-exchange/services/token-exchange.service.d.ts

@@ -0,0 +1,17 @@
+import { Logger } from '@n8n/backend-common';
+import type { User } from '@n8n/db';
+import type { ExternalTokenClaims } from '../token-exchange.schemas';
+import { IdentityResolutionService } from './identity-resolution.service';
+import { JtiStoreService } from './jti-store.service';
+import { TrustedKeyService } from './trusted-key.service';
+export declare class TokenExchangeService {
+    private readonly trustedKeyStore;
+    private readonly jtiStore;
+    private readonly identityResolutionService;
+    private readonly logger;
+    constructor(logger: Logger, trustedKeyStore: TrustedKeyService, jtiStore: JtiStoreService, identityResolutionService: IdentityResolutionService);
+    verifyToken(subjectToken: string, { maxLifetimeSeconds }?: {
+        maxLifetimeSeconds?: number;
+    }): Promise<ExternalTokenClaims>;
+    embedLogin(subjectToken: string): Promise<User>;
+}

package/dist/modules/token-exchange/services/token-exchange.service.js

@@ -0,0 +1,93 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExchangeService = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const di_1 = require("@n8n/di");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const auth_error_1 = require("../../../errors/response-errors/auth.error");
+const bad_request_error_1 = require("../../../errors/response-errors/bad-request.error");
+const token_exchange_schemas_1 = require("../token-exchange.schemas");
+const identity_resolution_service_1 = require("./identity-resolution.service");
+const jti_store_service_1 = require("./jti-store.service");
+const trusted_key_service_1 = require("./trusted-key.service");
+const MAX_TOKEN_LIFETIME_SECONDS = 60;
+let TokenExchangeService = class TokenExchangeService {
+    constructor(logger, trustedKeyStore, jtiStore, identityResolutionService) {
+        this.trustedKeyStore = trustedKeyStore;
+        this.jtiStore = jtiStore;
+        this.identityResolutionService = identityResolutionService;
+        this.logger = logger.scoped('token-exchange');
+    }
+    async verifyToken(subjectToken, { maxLifetimeSeconds } = {}) {
+        const decoded = jsonwebtoken_1.default.decode(subjectToken, { complete: true });
+        if (!decoded || typeof decoded === 'string') {
+            throw new bad_request_error_1.BadRequestError('Invalid token format');
+        }
+        const { kid } = decoded.header;
+        if (!kid) {
+            throw new bad_request_error_1.BadRequestError('Token header missing kid');
+        }
+        const resolvedKey = await this.trustedKeyStore.getByKid(kid);
+        if (!resolvedKey) {
+            throw new auth_error_1.AuthError('Unknown key id');
+        }
+        let payload;
+        try {
+            const result = jsonwebtoken_1.default.verify(subjectToken, resolvedKey.key, {
+                algorithms: resolvedKey.algorithms,
+                issuer: resolvedKey.issuer,
+                audience: resolvedKey.expectedAudience,
+            });
+            if (typeof result === 'string' || !('iat' in result)) {
+                throw new auth_error_1.AuthError('Unexpected token format');
+            }
+            payload = result;
+        }
+        catch (error) {
+            if (error instanceof auth_error_1.AuthError)
+                throw error;
+            const message = error instanceof Error ? error.message : 'unknown error';
+            this.logger.warn('JWT verification failed', { error: message });
+            throw new auth_error_1.AuthError('Token verification failed');
+        }
+        const claims = token_exchange_schemas_1.ExternalTokenClaimsSchema.parse(payload);
+        if (maxLifetimeSeconds !== undefined) {
+            const tokenLifetime = claims.exp - claims.iat;
+            if (tokenLifetime > maxLifetimeSeconds) {
+                throw new auth_error_1.AuthError('Token lifetime exceeds maximum allowed');
+            }
+        }
+        const consumed = await this.jtiStore.consume(claims.jti, new Date(claims.exp * 1000));
+        if (!consumed) {
+            throw new auth_error_1.AuthError('Token has already been used');
+        }
+        return claims;
+    }
+    async embedLogin(subjectToken) {
+        const claims = await this.verifyToken(subjectToken, {
+            maxLifetimeSeconds: MAX_TOKEN_LIFETIME_SECONDS,
+        });
+        return await this.identityResolutionService.resolve(claims);
+    }
+};
+exports.TokenExchangeService = TokenExchangeService;
+exports.TokenExchangeService = TokenExchangeService = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger,
+        trusted_key_service_1.TrustedKeyService,
+        jti_store_service_1.JtiStoreService,
+        identity_resolution_service_1.IdentityResolutionService])
+], TokenExchangeService);
+//# sourceMappingURL=token-exchange.service.js.map

package/dist/modules/token-exchange/services/token-exchange.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-exchange.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/token-exchange.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAA6C;AAE7C,gCAAkC;AAClC,gEAA+B;AAE/B,oEAAgE;AAChE,kFAA6E;AAG7E,sEAAsE;AACtE,+EAA0E;AAC1E,2DAAsD;AACtD,+DAA0D;AAE1D,MAAM,0BAA0B,GAAG,EAAE,CAAC;AAG/B,IAAM,oBAAoB,GAA1B,MAAM,oBAAoB;IAGhC,YACC,MAAc,EACG,eAAkC,EAClC,QAAyB,EACzB,yBAAoD;QAFpD,oBAAe,GAAf,eAAe,CAAmB;QAClC,aAAQ,GAAR,QAAQ,CAAiB;QACzB,8BAAyB,GAAzB,yBAAyB,CAA2B;QAErE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAaD,KAAK,CAAC,WAAW,CAChB,YAAoB,EACpB,EAAE,kBAAkB,KAAsC,EAAE;QAE5D,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC7C,MAAM,IAAI,mCAAe,CAAC,sBAAsB,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;QAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,mCAAe,CAAC,0BAA0B,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,MAAM,IAAI,sBAAS,CAAC,gBAAgB,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,OAAuB,CAAC;QAC5B,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,EAAE;gBACxD,UAAU,EAAE,WAAW,CAAC,UAAU;gBAClC,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,QAAQ,EAAE,WAAW,CAAC,gBAAgB;aACtC,CAAC,CAAC;YACH,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,sBAAS,CAAC,yBAAyB,CAAC,CAAC;YAChD,CAAC;YACD,OAAO,GAAG,MAAM,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,sBAAS;gBAAE,MAAM,KAAK,CAAC;YAC5C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAChE,MAAM,IAAI,sBAAS,CAAC,2BAA2B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,MAAM,GAAG,kDAAyB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAExD,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YAC9C,IAAI,aAAa,GAAG,kBAAkB,EAAE,CAAC;gBACxC,MAAM,IAAI,sBAAS,CAAC,wCAAwC,CAAC,CAAC;YAC/D,CAAC;QACF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,IAAI,sBAAS,CAAC,6BAA6B,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,CAAC;IACf,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,YAAoB;QACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE;YACnD,kBAAkB,EAAE,0BAA0B;SAC9C,CAAC,CAAC;QACH,OAAO,MAAM,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,CAAC;CACD,CAAA;AAnFY,oDAAoB;+BAApB,oBAAoB;IADhC,IAAA,YAAO,GAAE;qCAKA,uBAAM;QACoB,uCAAiB;QACxB,mCAAe;QACE,uDAAyB;GAP1D,oBAAoB,CAmFhC"}

package/dist/modules/token-exchange/services/trusted-key.service.d.ts

@@ -0,0 +1,13 @@
+import { Logger } from '@n8n/backend-common';
+import { TokenExchangeConfig } from '../token-exchange.config';
+import type { ResolvedTrustedKey } from '../token-exchange.schemas';
+export declare class TrustedKeyService {
+    private readonly tokenExchangeConfig;
+    private readonly logger;
+    private readonly keys;
+    constructor(logger: Logger, tokenExchangeConfig: TokenExchangeConfig);
+    initialize(): Promise<void>;
+    getByKid(kid: string): Promise<ResolvedTrustedKey | undefined>;
+    get size(): number;
+    private validateAndStoreStaticKey;
+}

package/dist/modules/token-exchange/services/trusted-key.service.js

@@ -0,0 +1,123 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TrustedKeyService = void 0;
+const node_crypto_1 = require("node:crypto");
+const backend_common_1 = require("@n8n/backend-common");
+const di_1 = require("@n8n/di");
+const n8n_workflow_1 = require("n8n-workflow");
+const zod_1 = require("zod");
+const token_exchange_config_1 = require("../token-exchange.config");
+const token_exchange_schemas_1 = require("../token-exchange.schemas");
+const ALGORITHM_FAMILY = {
+    RS256: 'RSA',
+    RS384: 'RSA',
+    RS512: 'RSA',
+    PS256: 'RSA',
+    PS384: 'RSA',
+    PS512: 'RSA',
+    ES256: 'EC',
+    ES384: 'EC',
+    ES512: 'EC',
+    EdDSA: 'EdDSA',
+};
+let TrustedKeyService = class TrustedKeyService {
+    constructor(logger, tokenExchangeConfig) {
+        this.tokenExchangeConfig = tokenExchangeConfig;
+        this.keys = new Map();
+        this.logger = logger.scoped('token-exchange');
+    }
+    async initialize() {
+        const raw = this.tokenExchangeConfig.trustedKeys;
+        if (!raw) {
+            this.logger.info('No trusted keys configured');
+            return;
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(raw);
+        }
+        catch (error) {
+            this.logger.error('Failed to parse trusted keys JSON', { error });
+            throw new n8n_workflow_1.UnexpectedError('Failed to parse trusted keys JSON');
+        }
+        const sourcesResult = zod_1.z.array(token_exchange_schemas_1.TrustedKeySourceSchema).safeParse(parsed);
+        if (!sourcesResult.success) {
+            this.logger.error('Trusted keys JSON has invalid format', { error: sourcesResult.error });
+            throw new n8n_workflow_1.UnexpectedError('Trusted keys JSON has invalid format');
+        }
+        const sources = sourcesResult.data;
+        for (const source of sources) {
+            if (source.type === 'jwks') {
+                this.logger.warn('JWKS key sources are not yet supported, skipping kid in source');
+                continue;
+            }
+            this.validateAndStoreStaticKey(source);
+        }
+        this.logger.info(`Loaded ${this.keys.size} trusted key(s)`);
+    }
+    async getByKid(kid) {
+        return this.keys.get(kid);
+    }
+    get size() {
+        return this.keys.size;
+    }
+    validateAndStoreStaticKey(source) {
+        const { kid, algorithms, key: pemString, issuer, expectedAudience, allowedRoles } = source;
+        if (this.keys.has(kid)) {
+            throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": duplicate kid`);
+        }
+        const families = new Set();
+        for (const alg of algorithms) {
+            const family = ALGORITHM_FAMILY[alg];
+            if (!family) {
+                throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": unknown algorithm "${alg}"`);
+            }
+            families.add(family);
+        }
+        if (families.size > 1) {
+            throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": algorithms must belong to the same family, got ${[...families].join(', ')}`);
+        }
+        const family = [...families][0];
+        let keyObject;
+        try {
+            keyObject = (0, node_crypto_1.createPublicKey)(pemString);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'unknown error';
+            throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": failed to parse public key — ${message}`);
+        }
+        const keyType = keyObject.asymmetricKeyType;
+        const expectedTypes = {
+            RSA: ['rsa'],
+            EC: ['ec'],
+            EdDSA: ['ed25519', 'ed448'],
+        };
+        if (!expectedTypes[family].includes(keyType ?? '')) {
+            throw new n8n_workflow_1.UnexpectedError(`Trusted key "${kid}": key type "${keyType}" does not match algorithm family "${family}"`);
+        }
+        this.keys.set(kid, {
+            kid,
+            algorithms: algorithms,
+            key: keyObject,
+            issuer,
+            expectedAudience,
+            allowedRoles,
+        });
+    }
+};
+exports.TrustedKeyService = TrustedKeyService;
+exports.TrustedKeyService = TrustedKeyService = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger,
+        token_exchange_config_1.TokenExchangeConfig])
+], TrustedKeyService);
+//# sourceMappingURL=trusted-key.service.js.map

package/dist/modules/token-exchange/services/trusted-key.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-key.service.js","sourceRoot":"","sources":["../../../../src/modules/token-exchange/services/trusted-key.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,6CAA8C;AAE9C,wDAA6C;AAC7C,gCAAkC;AAElC,+CAA+C;AAC/C,6BAAwB;AAExB,oEAA+D;AAE/D,sEAAmE;AAInE,MAAM,gBAAgB,GAAoC;IACzD,KAAK,EAAE,KAAK;IACZ,KAAK,EAAE,KAAK;IACZ,KAAK,EAAE,KAAK;IACZ,KAAK,EAAE,KAAK;IACZ,KAAK,EAAE,KAAK;IACZ,KAAK,EAAE,KAAK;IACZ,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,OAAO;CACd,CAAC;AAWK,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAK7B,YACC,MAAc,EACG,mBAAwC;QAAxC,wBAAmB,GAAnB,mBAAmB,CAAqB;QAJzC,SAAI,GAAG,IAAI,GAAG,EAA8B,CAAC;QAM7D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAOD,KAAK,CAAC,UAAU;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC;QAEjD,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;YAC/C,OAAO;QACR,CAAC;QAED,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACJ,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,MAAM,IAAI,8BAAe,CAAC,mCAAmC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,aAAa,GAAG,OAAC,CAAC,KAAK,CAAC,+CAAsB,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAExE,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,KAAK,EAAE,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC;YAC1F,MAAM,IAAI,8BAAe,CAAC,sCAAsC,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC;QAEnC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC9B,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAC5B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;gBACnF,SAAS;YACV,CAAC;YACD,IAAI,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC,CAAC;IAC7D,CAAC;IAMD,KAAK,CAAC,QAAQ,CAAC,GAAW;QACzB,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAGD,IAAI,IAAI;QACP,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;IACvB,CAAC;IAEO,yBAAyB,CAAC,MAAuB;QACxD,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;QAG3F,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,8BAAe,CAAC,gBAAgB,GAAG,kBAAkB,CAAC,CAAC;QAClE,CAAC;QAGD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;QAC5C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,MAAM,IAAI,8BAAe,CAAC,gBAAgB,GAAG,yBAAyB,GAAG,GAAG,CAAC,CAAC;YAC/E,CAAC;YACD,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAGD,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,8BAAe,CACxB,gBAAgB,GAAG,qDAAqD,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClG,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAGhC,IAAI,SAA6C,CAAC;QAClD,IAAI,CAAC;YACJ,SAAS,GAAG,IAAA,6BAAe,EAAC,SAAS,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACzE,MAAM,IAAI,8BAAe,CAAC,gBAAgB,GAAG,mCAAmC,OAAO,EAAE,CAAC,CAAC;QAC5F,CAAC;QAGD,MAAM,OAAO,GAAG,SAAS,CAAC,iBAAiB,CAAC;QAC5C,MAAM,aAAa,GAAsC;YACxD,GAAG,EAAE,CAAC,KAAK,CAAC;YACZ,EAAE,EAAE,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC;SAC3B,CAAC;QAEF,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,8BAAe,CACxB,gBAAgB,GAAG,gBAAgB,OAAO,sCAAsC,MAAM,GAAG,CACzF,CAAC;QACH,CAAC;QAGD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;YAClB,GAAG;YACH,UAAU,EAAE,UAAyB;YACrC,GAAG,EAAE,SAAS;YACd,MAAM;YACN,gBAAgB;YAChB,YAAY;SACZ,CAAC,CAAC;IACJ,CAAC;CACD,CAAA;AA9HY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,YAAO,GAAE;qCAOA,uBAAM;QACwB,2CAAmB;GAP9C,iBAAiB,CA8H7B"}

package/dist/modules/token-exchange/token-exchange.config.d.ts

@@ -0,0 +1,7 @@
+export declare class TokenExchangeConfig {
+    enabled: boolean;
+    maxTokenTtl: number;
+    trustedKeys: string;
+    jtiCleanupIntervalSeconds: number;
+    jtiCleanupBatchSize: number;
+}

package/dist/modules/token-exchange/token-exchange.config.js

@@ -0,0 +1,47 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExchangeConfig = void 0;
+const config_1 = require("@n8n/config");
+let TokenExchangeConfig = class TokenExchangeConfig {
+    constructor() {
+        this.enabled = false;
+        this.maxTokenTtl = 900;
+        this.trustedKeys = '';
+        this.jtiCleanupIntervalSeconds = 60;
+        this.jtiCleanupBatchSize = 1000;
+    }
+};
+exports.TokenExchangeConfig = TokenExchangeConfig;
+__decorate([
+    (0, config_1.Env)('N8N_TOKEN_EXCHANGE_ENABLED'),
+    __metadata("design:type", Boolean)
+], TokenExchangeConfig.prototype, "enabled", void 0);
+__decorate([
+    (0, config_1.Env)('N8N_TOKEN_EXCHANGE_MAX_TOKEN_TTL'),
+    __metadata("design:type", Number)
+], TokenExchangeConfig.prototype, "maxTokenTtl", void 0);
+__decorate([
+    (0, config_1.Env)('N8N_TOKEN_EXCHANGE_TRUSTED_KEYS'),
+    __metadata("design:type", String)
+], TokenExchangeConfig.prototype, "trustedKeys", void 0);
+__decorate([
+    (0, config_1.Env)('N8N_TOKEN_EXCHANGE_JTI_CLEANUP_INTERVAL_SECONDS'),
+    __metadata("design:type", Number)
+], TokenExchangeConfig.prototype, "jtiCleanupIntervalSeconds", void 0);
+__decorate([
+    (0, config_1.Env)('N8N_TOKEN_EXCHANGE_JTI_CLEANUP_BATCH_SIZE'),
+    __metadata("design:type", Number)
+], TokenExchangeConfig.prototype, "jtiCleanupBatchSize", void 0);
+exports.TokenExchangeConfig = TokenExchangeConfig = __decorate([
+    config_1.Config
+], TokenExchangeConfig);
+//# sourceMappingURL=token-exchange.config.js.map

package/dist/modules/token-exchange/token-exchange.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-exchange.config.js","sourceRoot":"","sources":["../../../src/modules/token-exchange/token-exchange.config.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wCAA0C;AAGnC,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAAzB;QAGN,YAAO,GAAY,KAAK,CAAC;QAIzB,gBAAW,GAAW,GAAG,CAAC;QAU1B,gBAAW,GAAW,EAAE,CAAC;QAIzB,8BAAyB,GAAW,EAAE,CAAC;QAIvC,wBAAmB,GAAW,IAAI,CAAC;IACpC,CAAC;CAAA,CAAA;AA1BY,kDAAmB;AAG/B;IADC,IAAA,YAAG,EAAC,4BAA4B,CAAC;;oDACT;AAIzB;IADC,IAAA,YAAG,EAAC,kCAAkC,CAAC;;wDACd;AAU1B;IADC,IAAA,YAAG,EAAC,iCAAiC,CAAC;;wDACd;AAIzB;IADC,IAAA,YAAG,EAAC,iDAAiD,CAAC;;sEAChB;AAIvC;IADC,IAAA,YAAG,EAAC,2CAA2C,CAAC;;gEACd;8BAzBvB,mBAAmB;IAD/B,eAAM;GACM,mBAAmB,CA0B/B"}

package/dist/modules/token-exchange/token-exchange.controller.d.ts

@@ -0,0 +1,9 @@
+import type { Response } from 'express';
+import { AuthlessRequest } from '../../requests';
+export declare class TokenExchangeController {
+    private readonly config;
+    private readonly errorReporter;
+    private readonly eventService;
+    private readonly tokenExchangeService;
+    exchangeToken(req: AuthlessRequest, res: Response): Promise<void>;
+}

package/dist/modules/token-exchange/token-exchange.controller.js

@@ -0,0 +1,103 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExchangeController = void 0;
+const constants_1 = require("@n8n/constants");
+const decorators_1 = require("@n8n/decorators");
+const di_1 = require("@n8n/di");
+const n8n_core_1 = require("n8n-core");
+const event_service_1 = require("../../events/event.service");
+const zod_1 = require("zod");
+const token_exchange_config_1 = require("./token-exchange.config");
+const token_exchange_schemas_1 = require("./token-exchange.schemas");
+const token_exchange_service_1 = require("./token-exchange.service");
+let TokenExchangeController = class TokenExchangeController {
+    constructor() {
+        this.config = di_1.Container.get(token_exchange_config_1.TokenExchangeConfig);
+        this.errorReporter = di_1.Container.get(n8n_core_1.ErrorReporter);
+        this.eventService = di_1.Container.get(event_service_1.EventService);
+        this.tokenExchangeService = di_1.Container.get(token_exchange_service_1.TokenExchangeService);
+    }
+    async exchangeToken(req, res) {
+        if (!this.config.enabled) {
+            res.status(501).json({
+                error: 'server_error',
+                error_description: 'Token exchange is not enabled on this instance',
+            });
+            return;
+        }
+        const clientIp = req.ip ?? 'unknown';
+        const { data: grantTypeData } = zod_1.z
+            .object({ grant_type: zod_1.z.string().optional() })
+            .safeParse(req.body);
+        if (grantTypeData?.grant_type !== token_exchange_schemas_1.TOKEN_EXCHANGE_GRANT_TYPE) {
+            res.status(400).json({
+                error: 'unsupported_grant_type',
+                error_description: `grant_type must be "${token_exchange_schemas_1.TOKEN_EXCHANGE_GRANT_TYPE}"`,
+            });
+            return;
+        }
+        const parsed = token_exchange_schemas_1.TokenExchangeRequestSchema.safeParse(req.body);
+        if (!parsed.success) {
+            const firstIssue = parsed.error.issues[0];
+            res.status(400).json({
+                error: 'invalid_request',
+                error_description: firstIssue?.message ?? 'Invalid request parameters',
+            });
+            return;
+        }
+        try {
+            const result = await this.tokenExchangeService.exchange(parsed.data);
+            this.eventService.emit('token-exchange-succeeded', {
+                subject: result.subject,
+                actor: result.actor,
+                scopes: parsed.data.scope,
+                resource: parsed.data.resource,
+                grantType: parsed.data.grant_type,
+                clientIp,
+                issuer: result.issuer,
+            });
+            res.json({
+                access_token: result.accessToken,
+                token_type: 'Bearer',
+                expires_in: result.expiresIn,
+                issued_token_type: 'urn:ietf:params:oauth:token-type:access_token',
+            });
+        }
+        catch (error) {
+            this.errorReporter.error(error instanceof Error ? error : new Error(String(error)));
+            this.eventService.emit('token-exchange-failed', {
+                subject: '',
+                failureReason: 'internal_error',
+                grantType: parsed.data.grant_type,
+                clientIp,
+            });
+            res.status(500).json({
+                error: 'server_error',
+                error_description: 'An unexpected error occurred during token exchange',
+            });
+        }
+    }
+};
+exports.TokenExchangeController = TokenExchangeController;
+__decorate([
+    (0, decorators_1.Post)('/token', {
+        skipAuth: true,
+        ipRateLimit: { limit: 20, windowMs: 1 * constants_1.Time.minutes.toMilliseconds },
+    }),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], TokenExchangeController.prototype, "exchangeToken", null);
+exports.TokenExchangeController = TokenExchangeController = __decorate([
+    (0, decorators_1.RestController)('/auth/oauth')
+], TokenExchangeController);
+//# sourceMappingURL=token-exchange.controller.js.map

package/dist/modules/token-exchange/token-exchange.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-exchange.controller.js","sourceRoot":"","sources":["../../../src/modules/token-exchange/token-exchange.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,8CAAsC;AACtC,gDAAuD;AACvD,gCAAoC;AAEpC,uCAAyC;AAEzC,0DAAsD;AAGtD,6BAAwB;AAExB,mEAA8D;AAC9D,qEAAiG;AACjG,qEAAgE;AAGzD,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAA7B;QACW,WAAM,GAAG,cAAS,CAAC,GAAG,CAAC,2CAAmB,CAAC,CAAC;QAE5C,kBAAa,GAAG,cAAS,CAAC,GAAG,CAAC,wBAAa,CAAC,CAAC;QAE7C,iBAAY,GAAG,cAAS,CAAC,GAAG,CAAC,4BAAY,CAAC,CAAC;QAE3C,yBAAoB,GAAG,cAAS,CAAC,GAAG,CAAC,6CAAoB,CAAC,CAAC;IAkF7E,CAAC;IAvEM,AAAN,KAAK,CAAC,aAAa,CAAC,GAAoB,EAAE,GAAa;QACtD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,gDAAgD;aACnE,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAED,MAAM,QAAQ,GAAG,GAAG,CAAC,EAAE,IAAI,SAAS,CAAC;QAIrC,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,OAAC;aAC/B,MAAM,CAAC,EAAE,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;aAC7C,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,aAAa,EAAE,UAAU,KAAK,kDAAyB,EAAE,CAAC;YAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,wBAAwB;gBAC/B,iBAAiB,EAAE,uBAAuB,kDAAyB,GAAG;aACtE,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAGD,MAAM,MAAM,GAAG,mDAA0B,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACrB,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,iBAAiB;gBACxB,iBAAiB,EAAE,UAAU,EAAE,OAAO,IAAI,4BAA4B;aACtE,CAAC,CAAC;YACH,OAAO;QACR,CAAC;QAGD,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAErE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,0BAA0B,EAAE;gBAClD,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;gBACzB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ;gBAC9B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;gBACjC,QAAQ;gBACR,MAAM,EAAE,MAAM,CAAC,MAAM;aACrB,CAAC,CAAC;YAEH,GAAG,CAAC,IAAI,CAAC;gBACR,YAAY,EAAE,MAAM,CAAC,WAAW;gBAChC,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,MAAM,CAAC,SAAS;gBAC5B,iBAAiB,EAAE,+CAA+C;aAClE,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAEpF,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,uBAAuB,EAAE;gBAC/C,OAAO,EAAE,EAAE;gBACX,aAAa,EAAE,gBAAgB;gBAC/B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;gBACjC,QAAQ;aACR,CAAC,CAAC;YAEH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACpB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,oDAAoD;aACvE,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;CACD,CAAA;AAzFY,0DAAuB;AAkB7B;IAJL,IAAA,iBAAI,EAAC,QAAQ,EAAE;QACf,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,EAAE;KACrE,CAAC;;;;4DAuED;kCAxFW,uBAAuB;IADnC,IAAA,2BAAc,EAAC,aAAa,CAAC;GACjB,uBAAuB,CAyFnC"}

package/dist/modules/token-exchange/token-exchange.module.d.ts

@@ -0,0 +1,5 @@
+import type { ModuleInterface } from '@n8n/decorators';
+export declare class TokenExchangeModule implements ModuleInterface {
+    entities(): Promise<never>;
+    init(): Promise<void>;
+}

package/dist/modules/token-exchange/token-exchange.module.js

@@ -0,0 +1,74 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExchangeModule = void 0;
+const constants_1 = require("@n8n/constants");
+const decorators_1 = require("@n8n/decorators");
+const di_1 = require("@n8n/di");
+function isFeatureFlagEnabled() {
+    return process.env.N8N_ENV_FEAT_TOKEN_EXCHANGE === 'true';
+}
+let TokenExchangeModule = class TokenExchangeModule {
+    async entities() {
+        const { TokenExchangeJti } = await Promise.resolve().then(() => __importStar(require('./database/entities/token-exchange-jti.entity')));
+        return [TokenExchangeJti];
+    }
+    async init() {
+        if (!isFeatureFlagEnabled()) {
+            return;
+        }
+        const { TrustedKeyService } = await Promise.resolve().then(() => __importStar(require('./services/trusted-key.service')));
+        await di_1.Container.get(TrustedKeyService).initialize();
+        await Promise.resolve().then(() => __importStar(require('./token-exchange.controller')));
+        await Promise.resolve().then(() => __importStar(require('./controllers/embed-auth.controller')));
+        const { JtiCleanupService } = await Promise.resolve().then(() => __importStar(require('./services/jti-cleanup.service')));
+        di_1.Container.get(JtiCleanupService).init();
+    }
+};
+exports.TokenExchangeModule = TokenExchangeModule;
+exports.TokenExchangeModule = TokenExchangeModule = __decorate([
+    (0, decorators_1.BackendModule)({
+        name: 'token-exchange',
+        licenseFlag: constants_1.LICENSE_FEATURES.TOKEN_EXCHANGE,
+        instanceTypes: ['main'],
+    })
+], TokenExchangeModule);
+//# sourceMappingURL=token-exchange.module.js.map

package/dist/modules/token-exchange/token-exchange.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-exchange.module.js","sourceRoot":"","sources":["../../../src/modules/token-exchange/token-exchange.module.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAkD;AAElD,gDAAgD;AAChD,gCAAoC;AAEpC,SAAS,oBAAoB;IAC5B,OAAO,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,MAAM,CAAC;AAC3D,CAAC;AAOM,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAC/B,KAAK,CAAC,QAAQ;QACb,MAAM,EAAE,gBAAgB,EAAE,GAAG,wDAAa,+CAA+C,GAAC,CAAC;QAC3F,OAAO,CAAC,gBAAgB,CAAU,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,IAAI;QACT,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;YAC7B,OAAO;QACR,CAAC;QAED,MAAM,EAAE,iBAAiB,EAAE,GAAG,wDAAa,gCAAgC,GAAC,CAAC;QAC7E,MAAM,cAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,UAAU,EAAE,CAAC;QAEpD,wDAAa,6BAA6B,GAAC,CAAC;QAC5C,wDAAa,qCAAqC,GAAC,CAAC;QAEpD,MAAM,EAAE,iBAAiB,EAAE,GAAG,wDAAa,gCAAgC,GAAC,CAAC;QAC7E,cAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,CAAC;IACzC,CAAC;CACD,CAAA;AApBY,kDAAmB;8BAAnB,mBAAmB;IAL/B,IAAA,0BAAa,EAAC;QACd,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,4BAAgB,CAAC,cAAc;QAC5C,aAAa,EAAE,CAAC,MAAM,CAAC;KACvB,CAAC;GACW,mBAAmB,CAoB/B"}