feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 18:33:28 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/cmd/setup/24.go
+++ b/cmd/setup/24.go
@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	//go:embed 24.sql
+	addTokenActor string
+)
+
+type AddActorToAuthTokens struct {
+	dbClient *database.DB
+}
+
+func (mig *AddActorToAuthTokens) Execute(ctx context.Context, _ eventstore.Event) error {
+	_, err := mig.dbClient.ExecContext(ctx, addTokenActor)
+	return err
+}
+
+func (mig *AddActorToAuthTokens) String() string {
+	return "24_add_actor_col_to_auth_tokens"
+}
--- a/cmd/setup/24.sql
+++ b/cmd/setup/24.sql
@@ -0,0 +1,2 @@
+ALTER TABLE auth.tokens ADD COLUMN actor jsonb;
+ALTER TABLE auth.refresh_tokens ADD COLUMN actor jsonb;
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -102,6 +102,7 @@ type Steps struct {
 	s21AddBlockFieldToLimits          *AddBlockFieldToLimits
 	s22ActiveInstancesIndex           *ActiveInstanceEvents
 	s23CorrectGlobalUniqueConstraints *CorrectGlobalUniqueConstraints
+	s24AddActorToAuthTokens           *AddActorToAuthTokens
 }

 func MustNewSteps(v *viper.Viper) *Steps {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -136,6 +136,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.s21AddBlockFieldToLimits = &AddBlockFieldToLimits{dbClient: queryDBClient}
 	steps.s22ActiveInstancesIndex = &ActiveInstanceEvents{dbClient: queryDBClient}
 	steps.s23CorrectGlobalUniqueConstraints = &CorrectGlobalUniqueConstraints{dbClient: esPusherDBClient}
+	steps.s24AddActorToAuthTokens = &AddActorToAuthTokens{dbClient: queryDBClient}

 	err = projection.Create(ctx, projectionDBClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -172,6 +173,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 		steps.s20AddByUserSessionIndex,
 		steps.s22ActiveInstancesIndex,
 		steps.s23CorrectGlobalUniqueConstraints,
+		steps.s24AddActorToAuthTokens,
 	} {
 		mustExecuteMigration(ctx, eventstoreClient, step, "migration failed")
 	}