Add token exchange support for organization applications and improve the existing docs

Author: ShanChathusanda93

en/identity-server/next/docs/guides/organization-management/generate-tokens-for-organization-apps.md

@@ -1 +1,3 @@
+{% set root_org_url = "https://localhost:9443/t/carbon.super" %}
+
 {% include "../../../../../includes/guides/organization-management/generate-tokens-for-organization-apps.md" %}

en/includes/guides/authentication/configure-token-exchange.md

@@ -130,7 +130,7 @@ After establishing account links, administrators can't delete them. Users can ma
 !!! note
     {{ product_name }} skips implicit account linking when **Require linked local account** is disabled, even if the implicit linking option remains enabled.
 
-{% if product_name == "Asgardeo" %}    
+{% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version > "7.2.0") %}
 
 To enable implicit account linking,
 
@@ -150,20 +150,14 @@ To enable implicit account linking,
 !!! note
     If {{ product_name }} can't find a matching local user account using the primary lookup attribute, it searches for matching accounts using the secondary lookup attribute.
 
-    Following three attributes can be configured as lookup attributes
-
-    - `http://wso2.org/claims/username`
-    - `http://wso2.org/claims/emailaddress`
-    - `http://wso2.org/claims/mobile`
+    By default, the `username` attribute is available as a lookup attribute. Administrators can make an attribute [unique across the user stores]({{base_path}}/guides/users/attributes/configure-unique-attributes), after which it will appear in the lookup attributes list.
 
     {{ product_name }} will look for the <a href="{{base_path}}/guides/users/attributes/manage-oidc-attribute-mappings/#view-openid-connect-attributes">mapped OpenID Connect attribute</a> in the third-party token.
 
 {% else %}
 
-### Implicit account linking
-
-In {{ product_name }}, implicit account linking can be configured via the 
-[Implicit Association API](https://is.docs.wso2.com/en/{{ is_version }}/apis/idp/#tag/Implicit-Association/operation/updateImplicitAssociation).    
+You can configure implicit account linking using the
+[Implicit Association API](https://is.docs.wso2.com/en/{{ is_version }}/apis/idp/#tag/Implicit-Association/operation/updateImplicitAssociation).
 
 {% endif %}
 
@@ -188,5 +182,9 @@ Follow the steps given below.
     !!! note
         {{ product_name }} only copies the `sub` claim from the token received from the trusted token issuer to the exchanged {{ product_name }} token.
 
-Upon successful execution, you will receive the exchanged token issued by {{ product_name }}.
+{% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version > "7.2.0") %}
+    !!! note
+        To learn how token exchange can be invoked in organization applications, see [Generate tokens for organization applications]({{base_path}}/guides/organization-management/generate-tokens-for-organization-apps).
+{% endif %}
 
+Upon successful execution, you will receive the exchanged token.

en/includes/guides/organization-management/generate-tokens-for-organization-apps.md

@@ -136,6 +136,50 @@ Use the following steps to use the client credentials to get an access token.
     }
     ```
 
+{% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version > "7.2.0") %}
+
+## Token exchange grant
+
+Use the following request to exchange a subject token for an access token.
+
+=== "Request format"
+
+    ```bash
+    curl --user <OAUTH_CLIENT_KEY>:<OAUTH_CLIENT_SECRET> -k 
+    -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
+    -d "requested_token_type=urn:ietf:params:oauth:token-type:access_token"
+    -d "subject_token_type=urn:ietf:params:oauth:token-type:jwt"
+    -d "subject_token=<jwt_issued_from_a_trusted_token_issuer>"
+    -d "scope=<desired scopes>"
+    -H "Content-Type: application/x-www-form-urlencoded"
+    {{ root_org_url }}/o/<ORG_ID>/oauth2/token
+    ```
+
+=== "Sample request"
+
+    ```bash
+    curl --user fhErtAT2YF_M0Ek3AAYHLI8L25oa:JirxvtfoecnrS8vBjM7ygOtSIXuCS_uK_9WEC7d1zPEa -k 
+    -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
+    -d "requested_token_type=urn:ietf:params:oauth:token-type:access_token"
+    -d "subject_token_type=urn:ietf:params:oauth:token-type:jwt"
+    -d "subject_token=<jwt_issued_from_a_trusted_token_issuer>"
+    -d "scope=openid internal_org_user_mgt_list read_stores"
+    -H "Content-Type: application/x-www-form-urlencoded" 
+    {{ root_org_url }}/o/12d1c4d2-2bb1-443b-aa4a-68f98a40d7c6/oauth2/token
+    ```
+
+=== "Sample response"
+
+    ```
+    {
+        "access_token": "bc978da1-6c56-3125-a999-a8d61c889672",
+        "token_type": "Bearer",
+        "expires_in": 3600
+    }
+    ```
+
+{% endif %}
+
 !!! note
     If you need scopes in the response, add the `scope` parameter to the token request with the required scopes.