feat(api): allow specifying access_token type (opaque/JWT) for service users (#5150)

Add functionality to configure the access token type on the service accounts to provide the oidc library with the necessary information to create the right type of access token.
2025-08-12 00:27:31 +00:00 · 2023-02-08 09:06:34 +01:00
parent da130c2ed9
commit 3616b6b028
31 changed files with 504 additions and 331 deletions
--- a/internal/api/grpc/management/user_converter.go
+++ b/internal/api/grpc/management/user_converter.go
@@ -170,9 +170,10 @@ func AddMachineUserRequestToCommand(req *mgmt_pb.AddMachineUserRequest, resource
 		ObjectRoot: models.ObjectRoot{
 			ResourceOwner: resourceowner,
 		},
-		Username:    req.UserName,
-		Name:        req.Name,
-		Description: req.Description,
+		Username:        req.UserName,
+		Name:            req.Name,
+		Description:     req.Description,
+		AccessTokenType: user_grpc.AccessTokenTypeToDomain(req.AccessTokenType),
 	}
 }

@@ -226,8 +227,9 @@ func UpdateMachineRequestToCommand(req *mgmt_pb.UpdateMachineRequest, orgID stri
 			AggregateID:   req.UserId,
 			ResourceOwner: orgID,
 		},
-		Name:        req.Name,
-		Description: req.Description,
+		Name:            req.Name,
+		Description:     req.Description,
+		AccessTokenType: user_grpc.AccessTokenTypeToDomain(req.AccessTokenType),
 	}
 }

--- a/internal/api/grpc/user/converter.go
+++ b/internal/api/grpc/user/converter.go
@@ -70,9 +70,10 @@ func HumanToPb(view *query.Human, assetPrefix, owner string) *user_pb.Human {

 func MachineToPb(view *query.Machine) *user_pb.Machine {
 	return &user_pb.Machine{
-		Name:        view.Name,
-		Description: view.Description,
-		HasSecret:   view.HasSecret,
+		Name:           view.Name,
+		Description:    view.Description,
+		HasSecret:      view.HasSecret,
+		AccessTokenTyp: AccessTokenTypeToPb(view.AccessTokenType),
 	}
 }

@@ -129,6 +130,17 @@ func GenderToDomain(gender user_pb.Gender) domain.Gender {
 	}
 }

+func AccessTokenTypeToDomain(accessTokenType user_pb.AccessTokenType) domain.OIDCTokenType {
+	switch accessTokenType {
+	case user_pb.AccessTokenType_ACCESS_TOKEN_TYPE_BEARER:
+		return domain.OIDCTokenTypeBearer
+	case user_pb.AccessTokenType_ACCESS_TOKEN_TYPE_JWT:
+		return domain.OIDCTokenTypeJWT
+	default:
+		return -1
+	}
+}
+
 func UserStateToPb(state domain.UserState) user_pb.UserState {
 	switch state {
 	case domain.UserStateActive:
@@ -161,6 +173,17 @@ func GenderToPb(gender domain.Gender) user_pb.Gender {
 	}
 }

+func AccessTokenTypeToPb(accessTokenType domain.OIDCTokenType) user_pb.AccessTokenType {
+	switch accessTokenType {
+	case domain.OIDCTokenTypeBearer:
+		return user_pb.AccessTokenType_ACCESS_TOKEN_TYPE_BEARER
+	case domain.OIDCTokenTypeJWT:
+		return user_pb.AccessTokenType_ACCESS_TOKEN_TYPE_JWT
+	default:
+		return user_pb.AccessTokenType_ACCESS_TOKEN_TYPE_BEARER
+	}
+}
+
 func AuthMethodsToPb(mfas *query.AuthMethods) []*user_pb.AuthFactor {
 	factors := make([]*user_pb.AuthFactor, len(mfas.AuthMethods))
 	for i, mfa := range mfas.AuthMethods {