feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-12 00:47:33 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/api/oidc/amr.go
+++ b/internal/api/oidc/amr.go
@@ -21,6 +21,9 @@ const (
 //
 // [RFC 8176, section 2]: https://datatracker.ietf.org/doc/html/rfc8176#section-2
 func AuthMethodTypesToAMR(methodTypes []domain.UserAuthMethodType) []string {
+	if methodTypes == nil {
+		return nil // make sure amr is omitted when not provided / supported
+	}
 	amr := make([]string, 0, 4)
 	var factors, otp int
 	for _, methodType := range methodTypes {
@@ -34,7 +37,8 @@ func AuthMethodTypesToAMR(methodTypes []domain.UserAuthMethodType) []string {
 		case domain.UserAuthMethodTypeU2F:
 			amr = append(amr, UserPresence)
 			factors++
-		case domain.UserAuthMethodTypeTOTP,
+		case domain.UserAuthMethodTypeOTP,
+			domain.UserAuthMethodTypeTOTP,
 			domain.UserAuthMethodTypeOTPSMS,
 			domain.UserAuthMethodTypeOTPEmail:
 			// a user could use multiple (t)otp, which is a factor, but still will be returned as a single `otp` entry
@@ -55,3 +59,33 @@ func AuthMethodTypesToAMR(methodTypes []domain.UserAuthMethodType) []string {
 	}
 	return amr
 }
+
+func AMRToAuthMethodTypes(amr []string) []domain.UserAuthMethodType {
+	authMethods := make([]domain.UserAuthMethodType, 0, len(amr))
+	var (
+		userPresence bool
+		mfa          bool
+	)
+
+	for _, entry := range amr {
+		switch entry {
+		case Password, PWD:
+			authMethods = append(authMethods, domain.UserAuthMethodTypePassword)
+		case OTP:
+			authMethods = append(authMethods, domain.UserAuthMethodTypeOTP)
+		case UserPresence:
+			userPresence = true
+		case MFA:
+			mfa = true
+		}
+	}
+
+	if userPresence {
+		if mfa {
+			authMethods = append(authMethods, domain.UserAuthMethodTypePasswordless)
+		} else {
+			authMethods = append(authMethods, domain.UserAuthMethodTypeU2F)
+		}
+	}
+	return authMethods
+}