feat(api): allow specifying access_token type (opaque/JWT) for service users (#5150)

Add functionality to configure the access token type on the service accounts to provide the oidc library with the necessary information to create the right type of access token.
2025-08-12 07:07:32 +00:00 · 2023-02-08 09:06:34 +01:00
parent da130c2ed9
commit 3616b6b028
31 changed files with 504 additions and 331 deletions
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -200,9 +200,11 @@ func (o *OPStorage) ClientCredentialsTokenRequest(ctx context.Context, clientID
 	if err != nil {
 		return nil, err
 	}
+	audience := domain.AddAudScopeToAudience(ctx, nil, scope)
 	return &clientCredentialsRequest{
-		sub:    user.ID,
-		scopes: scope,
+		sub:      user.ID,
+		scopes:   scope,
+		audience: audience,
 	}, nil
 }

@@ -219,7 +221,8 @@ func (o *OPStorage) ClientCredentials(ctx context.Context, clientID, clientSecre
 		return nil, err
 	}
 	return &clientCredentialsClient{
-		id: clientID,
+		id:        clientID,
+		tokenType: accessTokenTypeToOIDC(user.Machine.AccessTokenType),
 	}, nil
 }