feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-12 00:17:32 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/command/oidc_session_model.go
+++ b/internal/command/oidc_session_model.go
@@ -23,6 +23,8 @@ type OIDCSessionWriteModel struct {
 	AccessTokenID              string
 	AccessTokenCreation        time.Time
 	AccessTokenExpiration      time.Time
+	AccessTokenReason          domain.TokenReason
+	AccessTokenActor           *domain.TokenActor
 	RefreshTokenID             string
 	RefreshToken               string
 	RefreshTokenExpiration     time.Time
@@ -100,6 +102,8 @@ func (wm *OIDCSessionWriteModel) reduceAdded(e *oidcsession.AddedEvent) {
 func (wm *OIDCSessionWriteModel) reduceAccessTokenAdded(e *oidcsession.AccessTokenAddedEvent) {
 	wm.AccessTokenID = e.ID
 	wm.AccessTokenExpiration = e.CreationDate().Add(e.Lifetime)
+	wm.AccessTokenReason = e.Reason
+	wm.AccessTokenActor = e.Actor
 }

 func (wm *OIDCSessionWriteModel) reduceAccessTokenRevoked(e *oidcsession.AccessTokenRevokedEvent) {