feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers

internal/query/access_token.go

@@ -28,6 +28,8 @@ type OIDCSessionAccessTokenReadModel struct {
 	AccessTokenID         string
 	AccessTokenCreation   time.Time
 	AccessTokenExpiration time.Time
+	Reason                domain.TokenReason
+	Actor                 *domain.TokenActor
 }
 
 func newOIDCSessionAccessTokenReadModel(id string) *OIDCSessionAccessTokenReadModel {
@@ -84,6 +86,8 @@ func (wm *OIDCSessionAccessTokenReadModel) reduceAccessTokenAdded(e *oidcsession
 	wm.AccessTokenID = e.ID
 	wm.AccessTokenCreation = e.CreationDate()
 	wm.AccessTokenExpiration = e.CreationDate().Add(e.Lifetime)
+	wm.Reason = e.Reason
+	wm.Actor = e.Actor
 }
 
 func (wm *OIDCSessionAccessTokenReadModel) reduceTokenRevoked(e eventstore.Event) {

internal/query/embed/oidc_client_by_id.sql

@@ -29,7 +29,12 @@ keys as (
 	group by identifier
 ),
 settings as (
-	select instance_id, json_build_object('access_token_lifetime', access_token_lifetime, 'id_token_lifetime', id_token_lifetime) as settings
+	select instance_id, json_build_object(
+		'access_token_lifetime', access_token_lifetime,
+		'id_token_lifetime', id_token_lifetime,
+		'refresh_token_idle_expiration', refresh_token_idle_expiration,
+		'refresh_token_expiration', refresh_token_expiration
+	) as settings
 	from projections.oidc_settings2
 	where aggregate_id = $1
 		and instance_id = $1

internal/query/instance_features.go

@@ -12,6 +12,7 @@ type InstanceFeatures struct {
 	TriggerIntrospectionProjections FeatureSource[bool]
 	LegacyIntrospection             FeatureSource[bool]
 	UserSchema                      FeatureSource[bool]
+	TokenExchange                   FeatureSource[bool]
 }
 
 func (q *Queries) GetInstanceFeatures(ctx context.Context, cascade bool) (_ *InstanceFeatures, err error) {

internal/query/instance_features_model.go

@@ -61,6 +61,7 @@ func (m *InstanceFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.InstanceTriggerIntrospectionProjectionsEventType,
 			feature_v2.InstanceLegacyIntrospectionEventType,
 			feature_v2.InstanceUserSchemaEventType,
+			feature_v2.InstanceTokenExchangeEventType,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -73,6 +74,7 @@ func (m *InstanceFeaturesReadModel) reduceReset() {
 	m.instance.TriggerIntrospectionProjections = FeatureSource[bool]{}
 	m.instance.LegacyIntrospection = FeatureSource[bool]{}
 	m.instance.UserSchema = FeatureSource[bool]{}
+	m.instance.TokenExchange = FeatureSource[bool]{}
 }
 
 func (m *InstanceFeaturesReadModel) populateFromSystem() bool {
@@ -83,6 +85,7 @@ func (m *InstanceFeaturesReadModel) populateFromSystem() bool {
 	m.instance.TriggerIntrospectionProjections = m.system.TriggerIntrospectionProjections
 	m.instance.LegacyIntrospection = m.system.LegacyIntrospection
 	m.instance.UserSchema = m.system.UserSchema
+	m.instance.TokenExchange = m.system.TokenExchange
 	return true
 }
 
@@ -104,6 +107,8 @@ func (m *InstanceFeaturesReadModel) reduceBoolFeature(event *feature_v2.SetEvent
 		dst = &m.instance.LegacyIntrospection
 	case feature.KeyUserSchema:
 		dst = &m.instance.UserSchema
+	case feature.KeyTokenExchange:
+		dst = &m.instance.TokenExchange
 	}
 	*dst = FeatureSource[bool]{
 		Level: level,

internal/query/projection/instance_features.go

@@ -75,6 +75,10 @@ func (*instanceFeatureProjection) Reducers() []handler.AggregateReducer {
 				Event:  feature_v2.InstanceUserSchemaEventType,
 				Reduce: reduceInstanceSetFeature[bool],
 			},
+			{
+				Event:  feature_v2.InstanceTokenExchangeEventType,
+				Reduce: reduceInstanceSetFeature[bool],
+			},
 			{
 				Event:  instance.InstanceRemovedEventType,
 				Reduce: reduceInstanceRemovedHelper(InstanceDomainInstanceIDCol),

internal/query/projection/system_features.go

@@ -67,6 +67,10 @@ func (*systemFeatureProjection) Reducers() []handler.AggregateReducer {
 				Event:  feature_v2.SystemUserSchemaEventType,
 				Reduce: reduceSystemSetFeature[bool],
 			},
+			{
+				Event:  feature_v2.SystemTokenExchangeEventType,
+				Reduce: reduceSystemSetFeature[bool],
+			},
 		},
 	}}
 }

internal/query/system_features.go

@@ -19,6 +19,7 @@ type SystemFeatures struct {
 	TriggerIntrospectionProjections FeatureSource[bool]
 	LegacyIntrospection             FeatureSource[bool]
 	UserSchema                      FeatureSource[bool]
+	TokenExchange                   FeatureSource[bool]
 }
 
 func (q *Queries) GetSystemFeatures(ctx context.Context) (_ *SystemFeatures, err error) {

internal/query/system_features_model.go

@@ -49,6 +49,7 @@ func (m *SystemFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.SystemTriggerIntrospectionProjectionsEventType,
 			feature_v2.SystemLegacyIntrospectionEventType,
 			feature_v2.SystemUserSchemaEventType,
+			feature_v2.SystemTokenExchangeEventType,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -75,6 +76,8 @@ func (m *SystemFeaturesReadModel) reduceBoolFeature(event *feature_v2.SetEvent[b
 		dst = &m.system.LegacyIntrospection
 	case feature.KeyUserSchema:
 		dst = &m.system.UserSchema
+	case feature.KeyTokenExchange:
+		dst = &m.system.TokenExchange
 	}
 
 	*dst = FeatureSource[bool]{