feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 19:07:30 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/command/user_test.go
+++ b/internal/command/user_test.go
@@ -1440,14 +1440,18 @@ func TestCommandSide_AddUserToken(t *testing.T) {
 	}
 	type (
 		args struct {
-			ctx      context.Context
-			orgID    string
-			agentID  string
-			clientID string
-			userID   string
-			audience []string
-			scopes   []string
-			lifetime time.Duration
+			ctx                   context.Context
+			orgID                 string
+			agentID               string
+			clientID              string
+			userID                string
+			audience              []string
+			scopes                []string
+			authMethodsReferences []string
+			lifetime              time.Duration
+			authTime              time.Time
+			reason                domain.TokenReason
+			actor                 *domain.TokenActor
 		}
 	)
 	type res struct {
@@ -1500,7 +1504,7 @@ func TestCommandSide_AddUserToken(t *testing.T) {
 				eventstore:  tt.fields.eventstore,
 				idGenerator: tt.fields.idGenerator,
 			}
-			got, err := r.AddUserToken(tt.args.ctx, tt.args.orgID, tt.args.agentID, tt.args.clientID, tt.args.userID, tt.args.audience, tt.args.scopes, tt.args.lifetime)
+			got, err := r.AddUserToken(tt.args.ctx, tt.args.orgID, tt.args.agentID, tt.args.clientID, tt.args.userID, tt.args.audience, tt.args.scopes, tt.args.authMethodsReferences, tt.args.lifetime, tt.args.authTime, tt.args.reason, tt.args.actor)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -1565,7 +1569,11 @@ func TestCommands_RevokeAccessToken(t *testing.T) {
 								"refreshTokenID",
 								[]string{"clientID"},
 								[]string{"openid"},
+								[]string{"password"},
 								time.Now(),
+								time.Now(),
+								domain.TokenReasonAuthRequest,
+								nil,
 							),
 						),
 					),
@@ -1597,7 +1605,11 @@ func TestCommands_RevokeAccessToken(t *testing.T) {
 								"refreshTokenID",
 								[]string{"clientID"},
 								[]string{"openid"},
+								[]string{"password"},
+								time.Now(),
 								time.Now().Add(5*time.Hour),
+								domain.TokenReasonAuthRequest,
+								nil,
 							),
 						),
 					),