feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-12 00:27:31 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/api/oidc/introspect.go
+++ b/internal/api/oidc/introspect.go
@@ -106,16 +106,19 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
 		return nil, err
 	}
 	introspectionResp := &oidc.IntrospectionResponse{
-		Active:     true,
-		Scope:      token.scope,
-		ClientID:   token.clientID,
-		TokenType:  oidc.BearerToken,
-		Expiration: oidc.FromTime(token.tokenExpiration),
-		IssuedAt:   oidc.FromTime(token.tokenCreation),
-		NotBefore:  oidc.FromTime(token.tokenCreation),
-		Audience:   token.audience,
-		Issuer:     op.IssuerFromContext(ctx),
-		JWTID:      token.tokenID,
+		Active:                          true,
+		Scope:                           token.scope,
+		ClientID:                        token.clientID,
+		TokenType:                       oidc.BearerToken,
+		Expiration:                      oidc.FromTime(token.tokenExpiration),
+		IssuedAt:                        oidc.FromTime(token.tokenCreation),
+		AuthTime:                        oidc.FromTime(token.authTime),
+		NotBefore:                       oidc.FromTime(token.tokenCreation),
+		Audience:                        token.audience,
+		AuthenticationMethodsReferences: AuthMethodTypesToAMR(token.authMethods),
+		Issuer:                          op.IssuerFromContext(ctx),
+		JWTID:                           token.tokenID,
+		Actor:                           actorDomainToClaims(token.actor),
 	}
 	introspectionResp.SetUserInfo(userInfo)
 	return op.NewResponse(introspectionResp), nil