feat(api): allow specifying access_token type (opaque/JWT) for service users (#5150)

Add functionality to configure the access token type on the service accounts to provide the oidc library with the necessary information to create the right type of access token.
2025-08-12 03:47:33 +00:00 · 2023-02-08 09:06:34 +01:00
parent da130c2ed9
commit 3616b6b028
31 changed files with 504 additions and 331 deletions
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -88,9 +88,10 @@ type Phone struct {
 }

 type Machine struct {
-	Name        string
-	Description string
-	HasSecret   bool
+	Name            string
+	Description     string
+	HasSecret       bool
+	AccessTokenType domain.OIDCTokenType
 }

 type NotifyUser struct {
@@ -282,6 +283,10 @@ var (
 		name:  projection.MachineHasSecretCol,
 		table: machineTable,
 	}
+	MachineAccessTokenTypeCol = Column{
+		name:  projection.MachineAccessTokenTypeCol,
+		table: machineTable,
+	}
 )

 var (
@@ -753,6 +758,7 @@ func prepareUserQuery() (sq.SelectBuilder, func(*sql.Row) (*User, error)) {
 			MachineNameCol.identifier(),
 			MachineDescriptionCol.identifier(),
 			MachineHasSecretCol.identifier(),
+			MachineAccessTokenTypeCol.identifier(),
 			countColumn.identifier(),
 		).
 			From(userTable.identifier()).
@@ -789,6 +795,7 @@ func prepareUserQuery() (sq.SelectBuilder, func(*sql.Row) (*User, error)) {
 			name := sql.NullString{}
 			description := sql.NullString{}
 			hasSecret := sql.NullBool{}
+			accessTokenType := sql.NullInt32{}

 			err := row.Scan(
 				&u.ID,
@@ -817,6 +824,7 @@ func prepareUserQuery() (sq.SelectBuilder, func(*sql.Row) (*User, error)) {
 				&name,
 				&description,
 				&hasSecret,
+				&accessTokenType,
 				&count,
 			)

@@ -845,9 +853,10 @@ func prepareUserQuery() (sq.SelectBuilder, func(*sql.Row) (*User, error)) {
 				}
 			} else if machineID.Valid {
 				u.Machine = &Machine{
-					Name:        name.String,
-					Description: description.String,
-					HasSecret:   hasSecret.Bool,
+					Name:            name.String,
+					Description:     description.String,
+					HasSecret:       hasSecret.Bool,
+					AccessTokenType: domain.OIDCTokenType(accessTokenType.Int32),
 				}
 			}
 			return u, nil
@@ -1219,6 +1228,7 @@ func prepareUsersQuery() (sq.SelectBuilder, func(*sql.Rows) (*Users, error)) {
 			MachineNameCol.identifier(),
 			MachineDescriptionCol.identifier(),
 			MachineHasSecretCol.identifier(),
+			MachineAccessTokenTypeCol.identifier(),
 			countColumn.identifier()).
 			From(userTable.identifier()).
 			LeftJoin(join(HumanUserIDCol, UserIDCol)).
@@ -1257,6 +1267,7 @@ func prepareUsersQuery() (sq.SelectBuilder, func(*sql.Rows) (*Users, error)) {
 				name := sql.NullString{}
 				description := sql.NullString{}
 				hasSecret := sql.NullBool{}
+				accessTokenType := sql.NullInt32{}

 				err := rows.Scan(
 					&u.ID,
@@ -1285,6 +1296,7 @@ func prepareUsersQuery() (sq.SelectBuilder, func(*sql.Rows) (*Users, error)) {
 					&name,
 					&description,
 					&hasSecret,
+					&accessTokenType,
 					&count,
 				)
 				if err != nil {
@@ -1312,9 +1324,10 @@ func prepareUsersQuery() (sq.SelectBuilder, func(*sql.Rows) (*Users, error)) {
 					}
 				} else if machineID.Valid {
 					u.Machine = &Machine{
-						Name:        name.String,
-						Description: description.String,
-						HasSecret:   hasSecret.Bool,
+						Name:            name.String,
+						Description:     description.String,
+						HasSecret:       hasSecret.Bool,
+						AccessTokenType: domain.OIDCTokenType(accessTokenType.Int32),
 					}
 				}