feat(oidc): token exchange impersonation (#7516)

* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers

internal/user/repository/view/model/refresh_token.go

@@ -39,6 +39,7 @@ type RefreshTokenView struct {
 	Expiration            time.Time                  `json:"-" gorm:"column:expiration"`
 	Sequence              uint64                     `json:"-" gorm:"column:sequence"`
 	InstanceID            string                     `json:"instanceID" gorm:"column:instance_id;primary_key"`
+	Actor                 TokenActor                 `json:"actor" gorm:"column:actor"`
 }
 
 func RefreshTokenViewsToModel(tokens []*RefreshTokenView) []*usr_model.RefreshTokenView {
@@ -66,6 +67,7 @@ func RefreshTokenViewToModel(token *RefreshTokenView) *usr_model.RefreshTokenVie
 		IdleExpiration:        token.IdleExpiration,
 		Expiration:            token.Expiration,
 		Sequence:              token.Sequence,
+		Actor:                 token.Actor.TokenActor,
 	}
 }
 
@@ -135,6 +137,7 @@ func (t *RefreshTokenView) appendAddedEvent(event eventstore.Event) error {
 	t.Scopes = e.Scopes
 	t.Token = e.TokenID
 	t.UserAgentID = e.UserAgentID
+	t.Actor = TokenActor{e.Actor}
 	return nil
 }