feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 19:17:32 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/domain/token.go
+++ b/internal/domain/token.go
@@ -20,6 +20,8 @@ type Token struct {
 	Expiration        time.Time
 	Scopes            []string
 	PreferredLanguage string
+	Reason            TokenReason
+	Actor             *TokenActor
 }

 func AddAudScopeToAudience(ctx context.Context, audience, scopes []string) []string {
@@ -44,3 +46,22 @@ func addProjectID(audience []string, projectID string) []string {
 	}
 	return append(audience, projectID)
 }
+
+//go:generate enumer -type TokenReason -transform snake -trimprefix TokenReason -json
+type TokenReason int
+
+const (
+	TokenReasonUnspecified TokenReason = iota
+	TokenReasonAuthRequest
+	TokenReasonRefresh
+	TokenReasonJWTProfile
+	TokenReasonClientCredentials
+	TokenReasonExchange
+	TokenReasonImpersonation
+)
+
+type TokenActor struct {
+	Actor  *TokenActor `json:"actor,omitempty"`
+	UserID string      `json:"user_id,omitempty"`
+	Issuer string      `json:"issuer,omitempty"`
+}