feat(core): add subject token context to jwt customizer

packages/core/src/oidc/extra-token-claims.ts

@@ -141,6 +141,11 @@ export const getExtraTokenClaimsForJwtCustomization = async (
         (await libraries.jwtCustomizers.getUserContext(token.accountId))
     );
 
+    const subjectToken =
+      isTokenClientCredentials || token.gty !== GrantType.TokenExchange
+        ? undefined
+        : await trySafe(async () => queries.subjectTokens.findSubjectToken(token.grantId));
+
     const payload: CustomJwtFetcher = {
       script,
       environmentVariables,
@@ -151,8 +156,18 @@ export const getExtraTokenClaimsForJwtCustomization = async (
             tokenType: LogtoJwtTokenKeyType.AccessToken,
             // TODO (LOG-8555): the newly added `UserProfile` type includes undefined fields and can not be directly assigned to `Json` type. And the `undefined` fields should be removed by zod guard.
             // `context` parameter is only eligible for user's access token for now.
-            // eslint-disable-next-line no-restricted-syntax
-            context: { user: logtoUserInfo as Record<string, Json> },
+            context: {
+              // eslint-disable-next-line no-restricted-syntax
+              user: logtoUserInfo as Record<string, Json>,
+              ...conditional(
+                subjectToken && {
+                  grant: {
+                    type: GrantType.TokenExchange,
+                    subjectTokenContext: subjectToken.context,
+                  },
+                }
+              ),
+            },
           }),
     };
 

packages/integration-tests/src/__mocks__/jwt-customizer.ts

@@ -1,4 +1,4 @@
-import type { AccessTokenPayload, ClientCredentialsPayload } from '@logto/schemas';
+import { type AccessTokenPayload, type ClientCredentialsPayload } from '@logto/schemas';
 
 const standardTokenPayloadData = {
   jti: 'f1d3d2d1-1f2d-3d4e-5d6f-7d8a9d0e1d2',