feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 21:37:32 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/integration/oidc.go
+++ b/internal/integration/oidc.go
@@ -23,13 +23,16 @@ import (
 	"github.com/zitadel/zitadel/pkg/grpc/user"
 )

-func (s *Tester) CreateOIDCClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, appType app.OIDCAppType, authMethod app.OIDCAuthMethodType, devMode bool) (*management.AddOIDCAppResponse, error) {
+func (s *Tester) CreateOIDCClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, appType app.OIDCAppType, authMethod app.OIDCAuthMethodType, devMode bool, grantTypes ...app.OIDCGrantType) (*management.AddOIDCAppResponse, error) {
+	if len(grantTypes) == 0 {
+		grantTypes = []app.OIDCGrantType{app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN}
+	}
 	return s.Client.Mgmt.AddOIDCApp(ctx, &management.AddOIDCAppRequest{
 		ProjectId:                projectID,
 		Name:                     fmt.Sprintf("app-%d", time.Now().UnixNano()),
 		RedirectUris:             []string{redirectURI},
 		ResponseTypes:            []app.OIDCResponseType{app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE},
-		GrantTypes:               []app.OIDCGrantType{app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN},
+		GrantTypes:               grantTypes,
 		AppType:                  appType,
 		AuthMethodType:           authMethod,
 		PostLogoutRedirectUris:   []string{logoutRedirectURI},
@@ -53,8 +56,8 @@ func (s *Tester) CreateOIDCWebClientBasic(ctx context.Context, redirectURI, logo
 	return s.CreateOIDCClient(ctx, redirectURI, logoutRedirectURI, projectID, app.OIDCAppType_OIDC_APP_TYPE_WEB, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC, false)
 }

-func (s *Tester) CreateOIDCWebClientJWT(ctx context.Context, redirectURI, logoutRedirectURI, projectID string) (client *management.AddOIDCAppResponse, keyData []byte, err error) {
-	client, err = s.CreateOIDCClient(ctx, redirectURI, logoutRedirectURI, projectID, app.OIDCAppType_OIDC_APP_TYPE_WEB, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT, false)
+func (s *Tester) CreateOIDCWebClientJWT(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, grantTypes ...app.OIDCGrantType) (client *management.AddOIDCAppResponse, keyData []byte, err error) {
+	client, err = s.CreateOIDCClient(ctx, redirectURI, logoutRedirectURI, projectID, app.OIDCAppType_OIDC_APP_TYPE_WEB, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT, false, grantTypes...)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -113,6 +116,16 @@ func (s *Tester) CreateOIDCImplicitFlowClient(ctx context.Context, redirectURI s
 	})
 }

+func (s *Tester) CreateOIDCTokenExchangeClient(ctx context.Context) (client *management.AddOIDCAppResponse, keyData []byte, err error) {
+	project, err := s.Client.Mgmt.AddProject(ctx, &management.AddProjectRequest{
+		Name: fmt.Sprintf("project-%d", time.Now().UnixNano()),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	return s.CreateOIDCWebClientJWT(ctx, "", "", project.GetId(), app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE, app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN)
+}
+
 func (s *Tester) CreateProject(ctx context.Context) (*management.AddProjectResponse, error) {
 	return s.Client.Mgmt.AddProject(ctx, &management.AddProjectRequest{
 		Name: fmt.Sprintf("project-%d", time.Now().UnixNano()),
--- a/internal/integration/user.go
+++ b/internal/integration/user.go
@@ -0,0 +1,57 @@
+package integration
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/pkg/grpc/admin"
+	"github.com/zitadel/zitadel/pkg/grpc/management"
+)
+
+func (s *Tester) CreateMachineUserPATWithMembership(ctx context.Context, roles ...string) (id, pat string, err error) {
+	user := s.CreateMachineUser(ctx)
+
+	patResp, err := s.Client.Mgmt.AddPersonalAccessToken(ctx, &management.AddPersonalAccessTokenRequest{
+		UserId:         user.GetUserId(),
+		ExpirationDate: timestamppb.New(time.Now().Add(24 * time.Hour)),
+	})
+	if err != nil {
+		return "", "", err
+	}
+
+	orgRoles := make([]string, 0, len(roles))
+	iamRoles := make([]string, 0, len(roles))
+
+	for _, role := range roles {
+		if strings.HasPrefix(role, "ORG_") {
+			orgRoles = append(orgRoles, role)
+		}
+		if strings.HasPrefix(role, "IAM_") {
+			iamRoles = append(iamRoles, role)
+		}
+	}
+
+	if len(orgRoles) > 0 {
+		_, err := s.Client.Mgmt.AddOrgMember(ctx, &management.AddOrgMemberRequest{
+			UserId: user.GetUserId(),
+			Roles:  orgRoles,
+		})
+		if err != nil {
+			return "", "", err
+		}
+	}
+	if len(iamRoles) > 0 {
+		_, err := s.Client.Admin.AddIAMMember(ctx, &admin.AddIAMMemberRequest{
+			UserId: user.GetUserId(),
+			Roles:  iamRoles,
+		})
+		if err != nil {
+			return "", "", err
+		}
+	}
+
+	return user.GetUserId(), patResp.GetToken(), nil
+}