feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 21:27:42 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/api/grpc/admin/feature.go
+++ b/internal/api/grpc/admin/feature.go
@@ -5,8 +5,12 @@ import (

 	"github.com/muhlemmer/gu"

+	"github.com/zitadel/logging"
+
 	object_pb "github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/query/projection"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 )

@@ -17,6 +21,9 @@ func (s *Server) ActivateFeatureLoginDefaultOrg(ctx context.Context, _ *admin_pb
 	if err != nil {
 		return nil, err
 	}
+	_, err = projection.InstanceFeatureProjection.Trigger(ctx, handler.WithAwaitRunning())
+	logging.OnError(err).Warn("trigger instance feature projection")
+
 	return &admin_pb.ActivateFeatureLoginDefaultOrgResponse{
 		Details: object_pb.DomainToChangeDetailsPb(details),
 	}, nil
--- a/internal/api/grpc/admin/iam_settings_integration_test.go
+++ b/internal/api/grpc/admin/iam_settings_integration_test.go
@@ -23,6 +23,14 @@ func TestServer_GetSecurityPolicy(t *testing.T) {
 		EnableImpersonation:   true,
 	})
 	require.NoError(t, err)
+	t.Cleanup(func() {
+		_, err := Client.SetSecurityPolicy(AdminCTX, &admin_pb.SetSecurityPolicyRequest{
+			EnableIframeEmbedding: false,
+			AllowedOrigins:        []string{},
+			EnableImpersonation:   false,
+		})
+		require.NoError(t, err)
+	})

 	tests := []struct {
 		name    string