feat(api): allow specifying access_token type (opaque/JWT) for service users (#5150)

Add functionality to configure the access token type on the service accounts to provide the oidc library with the necessary information to create the right type of access token.
2025-08-11 21:07:31 +00:00 · 2023-02-08 09:06:34 +01:00
parent da130c2ed9
commit 3616b6b028
31 changed files with 504 additions and 331 deletions
--- a/internal/api/oidc/jwt-profile.go
+++ b/internal/api/oidc/jwt-profile.go
@@ -0,0 +1,33 @@
+package oidc
+
+import (
+	"context"
+
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v2/pkg/op"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+)
+
+func (o *OPStorage) JWTProfileTokenType(ctx context.Context, request op.TokenRequest) (op.AccessTokenType, error) {
+	mapJWTProfileScopesToAudience(ctx, request)
+	user, err := o.query.GetUserByID(ctx, false, request.GetSubject(), false)
+	if err != nil {
+		return 0, err
+	}
+	// the user should always be a machine, but let's just be sure
+	if user.Machine == nil {
+		return 0, errors.ThrowInvalidArgument(nil, "OIDC-jk26S", "invalid client type")
+	}
+	return accessTokenTypeToOIDC(user.Machine.AccessTokenType), nil
+}
+
+func mapJWTProfileScopesToAudience(ctx context.Context, request op.TokenRequest) {
+	// the request should always be a JWTTokenRequest, but let's make sure
+	jwt, ok := request.(*oidc.JWTTokenRequest)
+	if !ok {
+		return
+	}
+	jwt.Audience = domain.AddAudScopeToAudience(ctx, jwt.Audience, jwt.Scopes)
+}