feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers

internal/repository/oidcsession/oidc_session.go

@@ -71,9 +71,11 @@ func NewAddedEvent(ctx context.Context,
 type AccessTokenAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	ID       string        `json:"id"`
-	Scope    []string      `json:"scope"`
-	Lifetime time.Duration `json:"lifetime"`
+	ID       string             `json:"id,omitempty"`
+	Scope    []string           `json:"scope,omitempty"`
+	Lifetime time.Duration      `json:"lifetime,omitempty"`
+	Reason   domain.TokenReason `json:"reason,omitempty"`
+	Actor    *domain.TokenActor `json:"actor,omitempty"`
 }
 
 func (e *AccessTokenAddedEvent) Payload() interface{} {
@@ -94,6 +96,8 @@ func NewAccessTokenAddedEvent(
 	id string,
 	scope []string,
 	lifetime time.Duration,
+	reason domain.TokenReason,
+	actor *domain.TokenActor,
 ) *AccessTokenAddedEvent {
 	return &AccessTokenAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -104,6 +108,8 @@ func NewAccessTokenAddedEvent(
 		ID:       id,
 		Scope:    scope,
 		Lifetime: lifetime,
+		Reason:   reason,
+		Actor:    actor,
 	}
 }