JWT Authorization Grant feature to preview

Closes #44492

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>

common/src/main/java/org/keycloak/common/Profile.java

@@ -80,7 +80,7 @@ public class Profile {
         TOKEN_EXCHANGE_STANDARD_V2("Standard Token Exchange version 2", Type.DEFAULT, 2),
         TOKEN_EXCHANGE_EXTERNAL_INTERNAL_V2("External to Internal Token Exchange version 2", Type.EXPERIMENTAL, 2),
 
-        JWT_AUTHORIZATION_GRANT("JWT Profile for Oauth 2.0 Authorization Grant", Type.EXPERIMENTAL),
+        JWT_AUTHORIZATION_GRANT("JWT Profile for Oauth 2.0 Authorization Grant", Type.PREVIEW),
 
         WEB_AUTHN("W3C Web Authentication (WebAuthn)", Type.DEFAULT),
 

docs/documentation/release_notes/topics/26_5_0.adoc

@@ -36,6 +36,15 @@ In some situation you might want to avoid it, as the calling client, for example
 
 You can now prevent this by disabling *Include in OpenID Provider Metadata*.
 
+== JWT Authorization Grant new feature
+
+{project_name} 26.5 introduces a new feature called JWT Authorization Grant, which adds support for https://datatracker.ietf.org/doc/html/rfc7523[RFC 7523] to use external signed JWT assertions to request OAuth 2.0 access tokens.
+
+To accept signed JWT assertions, a trust relationship must be established between the external provider and {project_name}. This trust relationship can be configured through an identity provider in a dedicated section of the OpenID Connect v1.0 identity provider, or through the new JWT Authorization Grant identity provider.
+
+JWT Authorization Grant is recommended as an alternative to link:{securing_apps_base_link}/token-exchange#_external-token-to-internal-token-exchange[External to internal token exchange V1].
+This feature is in preview, and additional details are available in the link:{securing_apps_base_link}/jwt-authorization-grant[dedicated documentation].
+
 = Administration
 
 ////

docs/documentation/tests/src/test/resources/ignored-links

@@ -47,4 +47,5 @@ https://www.keycloak.org/server/logging#http-access-logging
 https://www.keycloak.org/server/logging#mdc
 
 # To be removed once KC 26.5.0 is release
-https://www.keycloak.org/observability/telemetry
+https://www.keycloak.org/observability/telemetry
+https://www.keycloak.org/securing-apps/jwt-authorization-grant

docs/guides/securing-apps/jwt-authorization-grant.adoc

@@ -7,8 +7,7 @@ title="JWT Authorization Grant"
 priority=130
 summary="Guide for the JWT Authorization Grant specification RFC 7521 / 7523.">
 
-// TODO: add tech preview when moved out experimental
-//< @ features.techpreview feature="jwt-authorization-grant"/>
+<@features.techpreview feature="jwt-authorization-grant"/>
 
 This guide defines how a JWT Bearer Token can be used in {project_name} as an authorization grant. This feature allows clients to send a JWT assertion to request an access token when the client wants to use an existing trust relationship without a direct user-approval step at the authorization server. The assertion is validated solely through the semantics of the JWT (its claims and signature). The trust relationship usually refers to another Identity Provider server (another OIDC server), and allows to obtain a cross-domain or cross-realm access token. In this sense, it is similar to the external to internal request in token exchange V1 (see <@links.securingapps id="token-exchange" anchor="_external-token-to-internal-token-exchange" /> for more information).
 
@@ -212,4 +211,4 @@ The enforcer can be used for any request that uses an assertion parameter. Curre
 +
 As the previous executor, for the moment this enforcer can be used for JWT Authorization Grant and the Standard Token exchange.
 
-</@tmpl.guide>
+</@tmpl.guide>