feat(api): allow specifying access_token type (opaque/JWT) for service users (#5150)

Add functionality to configure the access token type on the service accounts to provide the oidc library with the necessary information to create the right type of access token.

internal/api/oidc/client.go

@@ -200,9 +200,11 @@ func (o *OPStorage) ClientCredentialsTokenRequest(ctx context.Context, clientID
 	if err != nil {
 		return nil, err
 	}
+	audience := domain.AddAudScopeToAudience(ctx, nil, scope)
 	return &clientCredentialsRequest{
-		sub:    user.ID,
-		scopes: scope,
+		sub:      user.ID,
+		scopes:   scope,
+		audience: audience,
 	}, nil
 }
 
@@ -219,7 +221,8 @@ func (o *OPStorage) ClientCredentials(ctx context.Context, clientID, clientSecre
 		return nil, err
 	}
 	return &clientCredentialsClient{
-		id: clientID,
+		id:        clientID,
+		tokenType: accessTokenTypeToOIDC(user.Machine.AccessTokenType),
 	}, nil
 }
 

internal/api/oidc/client_credentials.go

@@ -8,18 +8,20 @@ import (
 )
 
 type clientCredentialsRequest struct {
-	sub    string
-	scopes []string
+	sub      string
+	audience []string
+	scopes   []string
 }
 
+// GetSubject returns the subject for token to be created because of the client credentials request
+// the subject will be the id of the service user
 func (c *clientCredentialsRequest) GetSubject() string {
 	return c.sub
 }
 
 // GetAudience returns the audience for token to be created because of the client credentials request
-// return nil as the audience is set during the token creation in command.addUserToken
 func (c *clientCredentialsRequest) GetAudience() []string {
-	return nil
+	return c.audience
 }
 
 func (c *clientCredentialsRequest) GetScopes() []string {
@@ -27,13 +29,14 @@ func (c *clientCredentialsRequest) GetScopes() []string {
 }
 
 type clientCredentialsClient struct {
-	id string
+	id        string
+	tokenType op.AccessTokenType
 }
 
 // AccessTokenType returns the AccessTokenType for the token to be created because of the client credentials request
 // machine users currently only have opaque tokens ([op.AccessTokenTypeBearer])
 func (c *clientCredentialsClient) AccessTokenType() op.AccessTokenType {
-	return op.AccessTokenTypeBearer
+	return c.tokenType
 }
 
 // GetID returns the client_id (username of the machine user) for the token to be created because of the client credentials request

internal/api/oidc/jwt-profile.go

@@ -0,0 +1,33 @@
+package oidc
+
+import (
+	"context"
+
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v2/pkg/op"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+)
+
+func (o *OPStorage) JWTProfileTokenType(ctx context.Context, request op.TokenRequest) (op.AccessTokenType, error) {
+	mapJWTProfileScopesToAudience(ctx, request)
+	user, err := o.query.GetUserByID(ctx, false, request.GetSubject(), false)
+	if err != nil {
+		return 0, err
+	}
+	// the user should always be a machine, but let's just be sure
+	if user.Machine == nil {
+		return 0, errors.ThrowInvalidArgument(nil, "OIDC-jk26S", "invalid client type")
+	}
+	return accessTokenTypeToOIDC(user.Machine.AccessTokenType), nil
+}
+
+func mapJWTProfileScopesToAudience(ctx context.Context, request op.TokenRequest) {
+	// the request should always be a JWTTokenRequest, but let's make sure
+	jwt, ok := request.(*oidc.JWTTokenRequest)
+	if !ok {
+		return
+	}
+	jwt.Audience = domain.AddAudScopeToAudience(ctx, jwt.Audience, jwt.Scopes)
+}