feat: obo-exchange

[Eiermitsucuk]

Description

Adds an On-Behalf-Of (OBO) token exchange command to imscli. The obo command (alias ob) exchanges a user access token for a new token using IMS token v4 and the RFC 8693 token-exchange grant type.

• Usage: imscli obo -c <clientID> -p <clientSecret> -t <userAccessToken> -s <scopes>
• Required: IMS base URL (env/config), client ID, client secret, and a user access token as the subject token. Service and impersonation tokens are rejected by validation.
• Scopes: Pass -s with the scope(s) to request. If -s is omitted, no scope is sent and IMS will error so the user must specify scopes explicitly (no default scope).
• Optional: --grantType to override the grant type if IMS returns unsupported_grant_type.
• Security: OBO tokens are for backend use only and must not be sent to frontend clients.

How Has This Been Tested?

Manual: the obo command was run with valid credentials and scopes to confirm a token is returned, without -s to confirm IMS returns an error, and with a service token to confirm validation rejects it.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

[telegrapher]

Contributor @Eiermitsucuk is an Adobe employee. No need for CLA.