feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2025-08-12 00:57:33 +00:00 · 2024-03-20 12:18:46 +02:00
parent b338171585
commit 6398349c24
104 changed files with 2149 additions and 248 deletions
--- a/internal/repository/user/human_refresh_token.go
+++ b/internal/repository/user/human_refresh_token.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"time"

+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -18,16 +19,17 @@ const (
 type HumanRefreshTokenAddedEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	TokenID               string        `json:"tokenId"`
-	ClientID              string        `json:"clientId"`
-	UserAgentID           string        `json:"userAgentId"`
-	Audience              []string      `json:"audience"`
-	Scopes                []string      `json:"scopes"`
-	AuthMethodsReferences []string      `json:"authMethodReferences"`
-	AuthTime              time.Time     `json:"authTime"`
-	IdleExpiration        time.Duration `json:"idleExpiration"`
-	Expiration            time.Duration `json:"expiration"`
-	PreferredLanguage     string        `json:"preferredLanguage"`
+	TokenID               string             `json:"tokenId"`
+	ClientID              string             `json:"clientId"`
+	UserAgentID           string             `json:"userAgentId"`
+	Audience              []string           `json:"audience"`
+	Scopes                []string           `json:"scopes"`
+	AuthMethodsReferences []string           `json:"authMethodReferences"`
+	AuthTime              time.Time          `json:"authTime"`
+	IdleExpiration        time.Duration      `json:"idleExpiration"`
+	Expiration            time.Duration      `json:"expiration"`
+	PreferredLanguage     string             `json:"preferredLanguage"`
+	Actor                 *domain.TokenActor `json:"actor,omitempty"`
 }

 func (e *HumanRefreshTokenAddedEvent) Payload() interface{} {
@@ -55,6 +57,7 @@ func NewHumanRefreshTokenAddedEvent(
 	authTime time.Time,
 	idleExpiration,
 	expiration time.Duration,
+	actor *domain.TokenActor,
 ) *HumanRefreshTokenAddedEvent {
 	return &HumanRefreshTokenAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -72,6 +75,7 @@ func NewHumanRefreshTokenAddedEvent(
 		IdleExpiration:        idleExpiration,
 		Expiration:            expiration,
 		PreferredLanguage:     preferredLanguage,
+		Actor:                 actor,
 	}
 }