feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-11 19:17:32 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/repository/feature/feature_v2/eventstore.go
+++ b/internal/repository/feature/feature_v2/eventstore.go
@@ -10,9 +10,11 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemTriggerIntrospectionProjectionsEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemLegacyIntrospectionEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemUserSchemaEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, SystemTokenExchangeEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceResetEventType, eventstore.GenericEventMapper[ResetEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceTriggerIntrospectionProjectionsEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLegacyIntrospectionEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceUserSchemaEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, InstanceTokenExchangeEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 }
--- a/internal/repository/feature/feature_v2/feature.go
+++ b/internal/repository/feature/feature_v2/feature.go
@@ -16,12 +16,14 @@ var (
 	SystemTriggerIntrospectionProjectionsEventType = setEventTypeFromFeature(feature.LevelSystem, feature.KeyTriggerIntrospectionProjections)
 	SystemLegacyIntrospectionEventType             = setEventTypeFromFeature(feature.LevelSystem, feature.KeyLegacyIntrospection)
 	SystemUserSchemaEventType                      = setEventTypeFromFeature(feature.LevelSystem, feature.KeyUserSchema)
+	SystemTokenExchangeEventType                   = setEventTypeFromFeature(feature.LevelSystem, feature.KeyTokenExchange)

 	InstanceResetEventType                           = resetEventTypeFromFeature(feature.LevelInstance)
 	InstanceLoginDefaultOrgEventType                 = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLoginDefaultOrg)
 	InstanceTriggerIntrospectionProjectionsEventType = setEventTypeFromFeature(feature.LevelInstance, feature.KeyTriggerIntrospectionProjections)
 	InstanceLegacyIntrospectionEventType             = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLegacyIntrospection)
 	InstanceUserSchemaEventType                      = setEventTypeFromFeature(feature.LevelInstance, feature.KeyUserSchema)
+	InstanceTokenExchangeEventType                   = setEventTypeFromFeature(feature.LevelInstance, feature.KeyTokenExchange)
 )

 const (
--- a/internal/repository/oidcsession/oidc_session.go
+++ b/internal/repository/oidcsession/oidc_session.go
@@ -71,9 +71,11 @@ func NewAddedEvent(ctx context.Context,
 type AccessTokenAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	ID       string        `json:"id"`
-	Scope    []string      `json:"scope"`
-	Lifetime time.Duration `json:"lifetime"`
+	ID       string             `json:"id,omitempty"`
+	Scope    []string           `json:"scope,omitempty"`
+	Lifetime time.Duration      `json:"lifetime,omitempty"`
+	Reason   domain.TokenReason `json:"reason,omitempty"`
+	Actor    *domain.TokenActor `json:"actor,omitempty"`
 }

 func (e *AccessTokenAddedEvent) Payload() interface{} {
@@ -94,6 +96,8 @@ func NewAccessTokenAddedEvent(
 	id string,
 	scope []string,
 	lifetime time.Duration,
+	reason domain.TokenReason,
+	actor *domain.TokenActor,
 ) *AccessTokenAddedEvent {
 	return &AccessTokenAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -104,6 +108,8 @@ func NewAccessTokenAddedEvent(
 		ID:       id,
 		Scope:    scope,
 		Lifetime: lifetime,
+		Reason:   reason,
+		Actor:    actor,
 	}
 }

--- a/internal/repository/user/eventstore.go
+++ b/internal/repository/user/eventstore.go
@@ -42,6 +42,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, UserReactivatedType, UserReactivatedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserRemovedType, UserRemovedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserTokenAddedType, UserTokenAddedEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, UserImpersonatedType, eventstore.GenericEventMapper[UserImpersonatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, UserTokenRemovedType, UserTokenRemovedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserDomainClaimedType, DomainClaimedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserDomainClaimedSentType, DomainClaimedSentEventMapper)
--- a/internal/repository/user/human_refresh_token.go
+++ b/internal/repository/user/human_refresh_token.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"time"

+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -18,16 +19,17 @@ const (
 type HumanRefreshTokenAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	TokenID               string        `json:"tokenId"`
-	ClientID              string        `json:"clientId"`
-	UserAgentID           string        `json:"userAgentId"`
-	Audience              []string      `json:"audience"`
-	Scopes                []string      `json:"scopes"`
-	AuthMethodsReferences []string      `json:"authMethodReferences"`
-	AuthTime              time.Time     `json:"authTime"`
-	IdleExpiration        time.Duration `json:"idleExpiration"`
-	Expiration            time.Duration `json:"expiration"`
-	PreferredLanguage     string        `json:"preferredLanguage"`
+	TokenID               string             `json:"tokenId"`
+	ClientID              string             `json:"clientId"`
+	UserAgentID           string             `json:"userAgentId"`
+	Audience              []string           `json:"audience"`
+	Scopes                []string           `json:"scopes"`
+	AuthMethodsReferences []string           `json:"authMethodReferences"`
+	AuthTime              time.Time          `json:"authTime"`
+	IdleExpiration        time.Duration      `json:"idleExpiration"`
+	Expiration            time.Duration      `json:"expiration"`
+	PreferredLanguage     string             `json:"preferredLanguage"`
+	Actor                 *domain.TokenActor `json:"actor,omitempty"`
 }

 func (e *HumanRefreshTokenAddedEvent) Payload() interface{} {
@@ -55,6 +57,7 @@ func NewHumanRefreshTokenAddedEvent(
 	authTime time.Time,
 	idleExpiration,
 	expiration time.Duration,
+	actor *domain.TokenActor,
 ) *HumanRefreshTokenAddedEvent {
 	return &HumanRefreshTokenAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -72,6 +75,7 @@ func NewHumanRefreshTokenAddedEvent(
 		IdleExpiration:        idleExpiration,
 		Expiration:            expiration,
 		PreferredLanguage:     preferredLanguage,
+		Actor:                 actor,
 	}
 }

--- a/internal/repository/user/user.go
+++ b/internal/repository/user/user.go
@@ -20,6 +20,7 @@ const (
 	UserRemovedType           = userEventTypePrefix + "removed"
 	UserTokenAddedType        = userEventTypePrefix + "token.added"
 	UserTokenRemovedType      = userEventTypePrefix + "token.removed"
+	UserImpersonatedType      = userEventTypePrefix + "impersonated"
 	UserDomainClaimedType     = userEventTypePrefix + "domain.claimed"
 	UserDomainClaimedSentType = userEventTypePrefix + "domain.claimed.sent"
 	UserUserNameChangedType   = userEventTypePrefix + "username.changed"
@@ -209,14 +210,18 @@ func UserRemovedEventMapper(event eventstore.Event) (eventstore.Event, error) {
 type UserTokenAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	TokenID           string    `json:"tokenId"`
-	ApplicationID     string    `json:"applicationId"`
-	UserAgentID       string    `json:"userAgentId"`
-	RefreshTokenID    string    `json:"refreshTokenID,omitempty"`
-	Audience          []string  `json:"audience"`
-	Scopes            []string  `json:"scopes"`
-	Expiration        time.Time `json:"expiration"`
-	PreferredLanguage string    `json:"preferredLanguage"`
+	TokenID               string             `json:"tokenId,omitempty"`
+	ApplicationID         string             `json:"applicationId,omitempty"`
+	UserAgentID           string             `json:"userAgentId,omitempty"`
+	RefreshTokenID        string             `json:"refreshTokenID,omitempty"`
+	Audience              []string           `json:"audience,omitempty"`
+	Scopes                []string           `json:"scopes,omitempty"`
+	AuthMethodsReferences []string           `json:"authMethodsReferences,omitempty"`
+	AuthTime              time.Time          `json:"authTime,omitempty"`
+	Expiration            time.Time          `json:"expiration,omitempty"`
+	PreferredLanguage     string             `json:"preferredLanguage,omitempty"`
+	Reason                domain.TokenReason `json:"reason,omitempty"`
+	Actor                 *domain.TokenActor `json:"actor,omitempty"`
 }

 func (e *UserTokenAddedEvent) Payload() interface{} {
@@ -236,8 +241,12 @@ func NewUserTokenAddedEvent(
 	preferredLanguage,
 	refreshTokenID string,
 	audience,
-	scopes []string,
+	scopes,
+	authMethodsReferences []string,
+	authTime,
 	expiration time.Time,
+	reason domain.TokenReason,
+	actor *domain.TokenActor,
 ) *UserTokenAddedEvent {
 	return &UserTokenAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -253,6 +262,8 @@ func NewUserTokenAddedEvent(
 		Scopes:            scopes,
 		Expiration:        expiration,
 		PreferredLanguage: preferredLanguage,
+		Reason:            reason,
+		Actor:             actor,
 	}
 }

@@ -268,6 +279,42 @@ func UserTokenAddedEventMapper(event eventstore.Event) (eventstore.Event, error)
 	return tokenAdded, nil
 }

+type UserImpersonatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ApplicationID string             `json:"applicationId,omitempty"`
+	Actor         *domain.TokenActor `json:"actor,omitempty"`
+}
+
+func (e *UserImpersonatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *UserImpersonatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *UserImpersonatedEvent) SetBaseEvent(base *eventstore.BaseEvent) {
+	e.BaseEvent = *base
+}
+
+func NewUserImpersonatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	applicationID string,
+	actor *domain.TokenActor,
+) *UserTokenAddedEvent {
+	return &UserTokenAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserImpersonatedType,
+		),
+		ApplicationID: applicationID,
+		Actor:         actor,
+	}
+}
+
 type UserTokenRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`