feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers

internal/query/access_token.go

@@ -28,6 +28,8 @@ type OIDCSessionAccessTokenReadModel struct {
 	AccessTokenID         string
 	AccessTokenCreation   time.Time
 	AccessTokenExpiration time.Time
+	Reason                domain.TokenReason
+	Actor                 *domain.TokenActor
 }
 
 func newOIDCSessionAccessTokenReadModel(id string) *OIDCSessionAccessTokenReadModel {
@@ -84,6 +86,8 @@ func (wm *OIDCSessionAccessTokenReadModel) reduceAccessTokenAdded(e *oidcsession
 	wm.AccessTokenID = e.ID
 	wm.AccessTokenCreation = e.CreationDate()
 	wm.AccessTokenExpiration = e.CreationDate().Add(e.Lifetime)
+	wm.Reason = e.Reason
+	wm.Actor = e.Actor
 }
 
 func (wm *OIDCSessionAccessTokenReadModel) reduceTokenRevoked(e eventstore.Event) {