Implement OAuth 2.0 Token Exchange (RFC 8693) for service-to-service delegation with subject_token validation

Verified steps

1. At the AS token endpoint, accept grant_type urn:ietf:params:oauth:grant-type:token-exchange with parameters: subject_token, subject_token_type (e.g. urn:ietf:params:oauth:token-type:access_token or id_token), requested_token_type, audience, scope, and optionally actor_token
2. Validate the subject_token: verify its signature against the issuer's JWKS, check expiry, confirm the subject is allowed to delegate to the requesting client for the requested audience and scopes
3. For delegation (acting on behalf of a user), issue the new token with an act claim containing {sub: <client_id>} to record the acting party; for impersonation, issue without the act claim
4. Set the issued_token_type in the response to match the requested_token_type; return the token with appropriate expires_in and scope reflecting what was actually granted (may be narrower than requested)
5. Enforce authorization policy: the exchanging client must be explicitly authorized to perform token exchange for the subject and the target audience — do not allow any authenticated client to exchange any token
6. Log the exchange event with subject, actor, target audience, and issued scopes for audit; token exchange chains are a common lateral movement vector if not properly constrained