Make token endpoint configurable and align with OIDC

IETF-RFC.md

@@ -645,7 +645,7 @@ contain the following information about its OCM API:
   to the more secure (and possibly required) invite flow.
   _ `"receive-code"` - to indicate that this OCM Server can receive a
   `code` as part of a Share Creation Notification, and exchange it
-  for a bearer token at the Sending Server's `/token` API endpoint.
+  for a bearer token at the Sending Server's tokenEndPoint.
   _ `"invite-wayf"` - to indicate that this OCM Server exposes a WAYF
   Page to facilitate the Invite flow.
 * OPTIONAL: criteria (array of string) - The criteria for accepting a
@@ -687,6 +687,12 @@ contain the following information about its OCM API:
   `"/index.php/apps/sciencemesh/accept"` is specified here then a WAYF
   Page SHOULD redirect the end-user to
 `/index.php/apps/sciencemesh/accept?token=zi5kooKu3ivohr9a&providerDomain=example.com`.
+* OPTIONAL: tokenEndPoint (string) - URL of the token endpoint where
+  the Sending Server can exchange a `code` for a bearer token,
+  according to the Open ID Connect semantic [RFC6749] [OIDC].
+  Implementations that offer the `"receive-code"` capability MUST
+  provide this URL as well.
+  Example: `"https://my-cloud-storage.org/ocm/token"`.
 
 # Share Creation Notification
 
@@ -759,7 +765,7 @@ To create a Share, the Sending Server SHOULD make a HTTP POST request
   that the share does not expire.
 * OPTIONAL code (string)
   A nonce to be exchanged for a (potentially short-lived)
-  bearer token at the Sending Server's /token endpoint.
+  bearer token at the Sending Server's tokenEndPoint [RFC6749] [OIDC].
 * REQUIRED protocol (object)
   JSON object with specific options for each protocol.
   The supported protocols are: - `webdav`, to access the data -
@@ -961,9 +967,9 @@ is as follows:
     `resourceTypes[0].protocols.webdav` value is the
     `<sender-ocm-path>` to be used in step 3.
 2.  If `code` is not empty, the receiver SHOULD make a signed POST
-    request to the `/token` path inside the Sending Server's OCM API, to
+    request to the path in the Sending Servers tokenEndPoint, to
     exchange the code for a short-lived bearer token, and then use that
-    bearer token to access the Resource.
+    bearer token to access the Resource. [RFC6749] [OIDC]
 3.  If `protocol.name` = `webdav`, the receiver SHOULD inspect the
     `protocol.options` property.  If it contains a `sharedSecret`, as in
     the [legacy example](
@@ -1089,14 +1095,16 @@ Signatures](https://tools.ietf.org/html/rfc9421)", February 2024.
 "[Uniform Resource Identifier (URI): Generic Syntax
 ](https://datatracker.ietf.org/doc/html/rfc3986)", January 2005
 
+[RFC6749] Hardt, D. (ed), "[The OAuth 2.0 Authorization Framework](
+https://datatracker.ietf.org/html/rfc6749)", October 2012.
+
 [RFC8615] Nottingham, M. "[Well-Known Uniform Resource Identifiers 
 (URIs)](https://datatracker.ietf.org/doc/html/rfc8615)", May 2019
 
+[OIDC] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B.,
+Mortimoe, C. "[OpenID Connect Core 1.0 incorporating errata set 2](
+https://openid.net/specs/openid-connect-core-1_0.html)", December 2023
 
-## Informative References
-
-[RFC6749] Hardt, D. (ed), "[The OAuth 2.0 Authorization Framework](
-https://datatracker.ietf.org/html/rfc6749)", October 2012.
 
 # Appendix A: Multi-factor Authentication
 

spec.yaml

@@ -231,7 +231,7 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
-  /token:
+  /{tokenEndPoint}:
     post:
       summary: Token Exchange endpoint
       description: >
@@ -466,6 +466,12 @@ components:
                 -----BEGIN PUBLIC KEY-----
                 MII...QDD
                 -----END PUBLIC KEY-----
+        tokenEndPoint:
+          type: string
+          description: >
+            Optional URL path of the Token Exchange endpoint to obtain bearer tokens in exchange for codes.
+            If the `receive-code` capability is exposed, the tokenEndPoint MUST be advertised in the discovery response.
+          example: /index.php/apps/sciencemesh/token
         inviteAcceptDialog:
           type: string
           description: >
@@ -554,7 +560,7 @@ components:
           type: string
           description: |
             A nonce to be exchanged for a (potentially short-lived) bearer token
-            at the Sending Server's `/token` endpoint.
+            at the Sending Server's {tokenEndPoint}.
         protocol:
           type: object
           description: |
@@ -637,9 +643,9 @@ components:
                         MFA-authenticated. This requirement MAY be used if the
                         recipient provider exposes the `enforce-mfa` capability.
                       - `use-code` requires the recipient to exchange the given
-                        `code` via a signed HTTPS request to `/token` at the Sending
-                        Server, in order to get a short-lived token to be used for
-                        subsequent access. This requirement MAY be used if the
+                        `code` via a signed HTTPS request to {tokenEndPoint} at the
+                        Sending Server, in order to get a short-lived token to be used
+                        for subsequent access. This requirement MAY be used if the
                         recipient provider exposes the `receive-code` capability.
                     enum:
                       - mfa-enforced
@@ -854,8 +860,12 @@ components:
           example: xyz
         grant_type:
           type: string
-          description: Must be set to 'ocm_authorization_code'
-          example: ocm_authorization_code
+          description: Must be set to 'authorization_code'
+          example: authorization_code
+        redirect_uri:
+          type: string
+          description: URI to redirect to after the token is issued
+          example: https://receiver.org/ocm/callback
     TokenResponse:
       type: object
       properties: