feat: actions context information add clientID (#10339)

# Which Problems Are Solved There is no information contained in the context info sent to Actions v2. # How the Problems Are Solved Add application information to the context information sent to Actions v2, to give more information about the execution. # Additional Changes None # Additional Context Closes #9377
2025-08-11 21:47:32 +00:00 · 2025-07-29 00:08:12 +02:00
parent 5d2d1d6da6
commit 416a35537f
5 changed files with 45 additions and 26 deletions
--- a/internal/api/oidc/introspect.go
+++ b/internal/api/oidc/introspect.go
@@ -100,6 +100,7 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
 		token.userID,
 		token.scope,
 		client.projectID,
+		client.clientID,
 		client.projectRoleAssertion,
 		true,
 		true,
--- a/internal/api/oidc/token.go
+++ b/internal/api/oidc/token.go
@@ -31,7 +31,7 @@ for example the v2 code exchange and refresh token.
 */

 func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.Client, session *command.OIDCSession, state, projectID string, projectRoleAssertion, accessTokenRoleAssertion, idTokenRoleAssertion, userInfoAssertion bool) (_ *oidc.AccessTokenResponse, err error) {
-	getUserInfo := s.getUserInfo(session.UserID, projectID, projectRoleAssertion, userInfoAssertion, session.Scope)
+	getUserInfo := s.getUserInfo(session.UserID, projectID, client.GetID(), projectRoleAssertion, userInfoAssertion, session.Scope)
 	getSigner := s.getSignerOnce()

 	resp := &oidc.AccessTokenResponse{
@@ -113,8 +113,8 @@ type userInfoFunc func(ctx context.Context, roleAssertion bool, triggerType doma

 // getUserInfo returns a function which retrieves userinfo from the database once.
 // However, each time, role claims are asserted and also action flows will trigger.
-func (s *Server) getUserInfo(userID, projectID string, projectRoleAssertion, userInfoAssertion bool, scope []string) userInfoFunc {
-	userInfo := s.userInfo(userID, scope, projectID, projectRoleAssertion, userInfoAssertion, false)
+func (s *Server) getUserInfo(userID, projectID, clientID string, projectRoleAssertion, userInfoAssertion bool, scope []string) userInfoFunc {
+	userInfo := s.userInfo(userID, scope, projectID, clientID, projectRoleAssertion, userInfoAssertion, false)
 	return func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (*oidc.UserInfo, error) {
 		return userInfo(ctx, roleAssertion, triggerType)
 	}
--- a/internal/api/oidc/token_exchange.go
+++ b/internal/api/oidc/token_exchange.go
@@ -218,7 +218,7 @@ func validateTokenExchangeAudience(requestedAudience, subjectAudience, actorAudi
 // Both tokens may point to the same object (subjectToken) in case of a regular Token Exchange.
 // When the subject and actor Tokens point to different objects, the new tokens will be for impersonation / delegation.
 func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenType, client *Client, subjectToken, actorToken *exchangeToken, audience, scopes []string) (_ *oidc.TokenExchangeResponse, err error) {
-	getUserInfo := s.getUserInfo(subjectToken.userID, client.client.ProjectID, client.client.ProjectRoleAssertion, client.IDTokenUserinfoClaimsAssertion(), scopes)
+	getUserInfo := s.getUserInfo(subjectToken.userID, client.client.ProjectID, client.GetID(), client.client.ProjectRoleAssertion, client.IDTokenUserinfoClaimsAssertion(), scopes)
 	getSigner := s.getSignerOnce()

 	resp := &oidc.TokenExchangeResponse{
--- a/internal/api/oidc/userinfo.go
+++ b/internal/api/oidc/userinfo.go
@@ -54,6 +54,7 @@ func (s *Server) UserInfo(ctx context.Context, r *op.Request[oidc.UserInfoReques
 		token.userID,
 		token.scope,
 		projectID,
+		token.clientID,
 		assertion,
 		true,
 		false,
@@ -86,6 +87,7 @@ func (s *Server) userInfo(
 	userID string,
 	scope []string,
 	projectID string,
+	clientID string,
 	projectRoleAssertion, userInfoAssertion, currentProjectOnly bool,
 ) func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (_ *oidc.UserInfo, err error) {
 	var (
@@ -120,7 +122,7 @@ func (s *Server) userInfo(
 			Claims:          maps.Clone(rawUserInfo.Claims),
 		}
 		assertRoles(projectID, qu, roleAudience, requestedRoles, roleAssertion, userInfo)
-		return userInfo, s.userinfoFlows(ctx, qu, userInfo, triggerType)
+		return userInfo, s.userinfoFlows(ctx, qu, userInfo, triggerType, clientID)
 	}
 }

@@ -285,7 +287,8 @@ func setUserInfoRoleClaims(userInfo *oidc.UserInfo, roles *projectsRoles) {
 	}
 }

-func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, userInfo *oidc.UserInfo, triggerType domain.TriggerType) (err error) {
+//nolint:gocognit
+func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, userInfo *oidc.UserInfo, triggerType domain.TriggerType, clientID string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -319,6 +322,13 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
 					}
 				}),
 			),
+			actions.SetFields("application",
+				actions.SetFields("getClientId", func(c *actions.FieldConfig) interface{} {
+					return func(goja.FunctionCall) goja.Value {
+						return c.Runtime.ToValue(clientID)
+					}
+				}),
+			),
 		),
 	)

@@ -427,6 +437,7 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
 		User:         qu.User,
 		UserMetadata: qu.Metadata,
 		Org:          qu.Org,
+		Application:  &ContextInfoApplication{ClientID: clientID},
 		UserGrants:   qu.UserGrants,
 	}

@@ -463,13 +474,17 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
 }

 type ContextInfo struct {
-	Function     string               `json:"function,omitempty"`
-	UserInfo     *oidc.UserInfo       `json:"userinfo,omitempty"`
-	User         *query.User          `json:"user,omitempty"`
-	UserMetadata []query.UserMetadata `json:"user_metadata,omitempty"`
-	Org          *query.UserInfoOrg   `json:"org,omitempty"`
-	UserGrants   []query.UserGrant    `json:"user_grants,omitempty"`
-	Response     *ContextInfoResponse `json:"response,omitempty"`
+	Function     string                  `json:"function,omitempty"`
+	UserInfo     *oidc.UserInfo          `json:"userinfo,omitempty"`
+	User         *query.User             `json:"user,omitempty"`
+	UserMetadata []query.UserMetadata    `json:"user_metadata,omitempty"`
+	Org          *query.UserInfoOrg      `json:"org,omitempty"`
+	UserGrants   []query.UserGrant       `json:"user_grants,omitempty"`
+	Application  *ContextInfoApplication `json:"application,omitempty"`
+	Response     *ContextInfoResponse    `json:"response,omitempty"`
+}
+type ContextInfoApplication struct {
+	ClientID string `json:"client_id,omitempty"`
 }

 type ContextInfoResponse struct {