Add subject_token option for inline certificate chain

Add the option to provide the X.509 Certificate chain value inline in the subject_token for X.509 profile

Author: kenmccracken-google

draft-mccracken-wimse-x509-to-access-token-exchange-profile.md

@@ -126,8 +126,9 @@ Compatible OAuth 2.0 Authorization Servers supporting this token exchange profil
 * audience: REQUIRED for this Profile. A URI or other unique identifier for the relying party, assigned by the OAuth 2.0 Authorization Server.
 * scope: OPTIONAL. A list of space-delimited, case-sensitive strings, as defined in [Section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3) of [[RFC6749](https://datatracker.ietf.org/doc/html/rfc6749)], that allow the client to specify the desired scope of the requested security token in the context of the service or resource where the token will be used.
 * requested_token_type: MUST be `urn:ietf:params:oauth:token-type:access_token` for this token exchange profile.
-* subject_token: REQUIRED. The fixed string `mtls_client_certificate` instructs the Authorization Server to obtain the subject token from the client's mTLS Certificate message, as defined in [Section 2](https://datatracker.ietf.org/doc/html/rfc8446#section-2) of [[RFC8446](https://datatracker.ietf.org/doc/html/rfc8446)]. The X.509 Certificate chain MUST chain to a previously-configured Trust Anchor certificate for the relying party, either directly or through one of the previously-configured Intermediate CA path-building certificates.
-* subject_token_type: MUST be `urn:ietf:params:oauth:token-type:mtls` for this token exchange profile.
+* subject_token: REQUIRED. Either the fixed string `mtls_client_certificate` or an X.509 Certificate Chain value. Whether conveyed by-reference to mTLS using `mtls_client_certificate` or as an X.509 Certificate Chain value, the Authorization Server MUST validate that the X.509 Certificate chain can be validated by a path to a previously-configured Trust Anchor certificate for the relying party, either directly or through one of the previously-configured Intermediate CA path-building certificates.
+    * The value `mtls_client_certificate` instructs the Authorization Server to obtain the subject token from the client's mTLS Certificate message, as defined in [Section 2](https://datatracker.ietf.org/doc/html/rfc8446#section-2) of [[RFC8446](https://datatracker.ietf.org/doc/html/rfc8446)].
+    * Any value other than `mtls_client_certificate` MUST be parsed as an X.509 Certificate Chain for this token exchange profile. The X.509 Certificate chain MUST be formatted as described in the "x5c" (X.509 Certificate Chain) Header Parameter in [Section 4.1.6](https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.6) of [[RFC7515](https://www.rfc-editor.org/rfc/rfc7515.html)]. The leaf X.509 Certificate used in the `subject_token` MUST match the leaf X.509 Certificate used during mTLS.* subject_token_type: MUST be `urn:ietf:params:oauth:token-type:mtls` for this token exchange profile.
 
 The request MUST ONLY be accepted if the X.509 Certificate used during mTLS chain to a previously-configured Trust Anchor via a certificate path that may include previously-configured intermediate CA certificates. The previously-configured subject claim selector MUST select a non-blank string from the certificate. The previously-configured conditions MUST accept the X.509 Certificate.