feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers

internal/api/oidc/userinfo_test.go

@@ -349,9 +349,9 @@ func Test_userInfoToOIDC(t *testing.T) {
 			},
 			want: &oidc.UserInfo{
 				Claims: map[string]any{
-					ClaimResourceOwner + "id":             "orgID",
-					ClaimResourceOwner + "name":           "orgName",
-					ClaimResourceOwner + "primary_domain": "orgDomain",
+					ClaimResourceOwnerID:            "orgID",
+					ClaimResourceOwnerName:          "orgName",
+					ClaimResourceOwnerPrimaryDomain: "orgDomain",
 				},
 			},
 		},
@@ -377,10 +377,10 @@ func Test_userInfoToOIDC(t *testing.T) {
 			},
 			want: &oidc.UserInfo{
 				Claims: map[string]any{
-					domain.OrgIDClaim:                     "orgID",
-					ClaimResourceOwner + "id":             "orgID",
-					ClaimResourceOwner + "name":           "orgName",
-					ClaimResourceOwner + "primary_domain": "orgDomain",
+					domain.OrgIDClaim:               "orgID",
+					ClaimResourceOwnerID:            "orgID",
+					ClaimResourceOwnerName:          "orgName",
+					ClaimResourceOwnerPrimaryDomain: "orgDomain",
 				},
 			},
 		},