feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 20:57:31 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/command/user_human_refresh_token_model.go
+++ b/internal/command/user_human_refresh_token_model.go
@@ -15,10 +15,13 @@ type HumanRefreshTokenWriteModel struct {
 	TokenID      string
 	RefreshToken string

-	UserState      domain.UserState
-	IdleExpiration time.Time
-	Expiration     time.Time
-	UserAgentID    string
+	UserState             domain.UserState
+	AuthTime              time.Time
+	IdleExpiration        time.Time
+	Expiration            time.Time
+	UserAgentID           string
+	AuthMethodsReferences []string
+	Actor                 *domain.TokenActor
 }

 func NewHumanRefreshTokenWriteModel(userID, resourceOwner, tokenID string) *HumanRefreshTokenWriteModel {
@@ -64,7 +67,10 @@ func (wm *HumanRefreshTokenWriteModel) Reduce() error {
 			wm.IdleExpiration = e.CreationDate().Add(e.IdleExpiration)
 			wm.Expiration = e.CreationDate().Add(e.Expiration)
 			wm.UserState = domain.UserStateActive
+			wm.AuthTime = e.AuthTime
 			wm.UserAgentID = e.UserAgentID
+			wm.AuthMethodsReferences = e.AuthMethodsReferences
+			wm.Actor = e.Actor
 		case *user.HumanRefreshTokenRenewedEvent:
 			if wm.UserState == domain.UserStateActive {
 				wm.RefreshToken = e.RefreshToken