From 56397f88d5b8abcda55ead200af66093e428786e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Mon, 18 Mar 2024 12:36:16 +0200
Subject: [PATCH 1/2] feat(oidc): add actor claim to introspection response
 (#570)

With impersonation we assign an actor claim to our JWT/ID Tokens. This change adds the actor claim to the introspection response to follow suit.

This PR also adds the `auth_time` and `amr` claims for consistency.
---
 example/client/app/app.go |  4 ++++
 pkg/oidc/introspection.go | 27 +++++++++++++++------------
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/example/client/app/app.go b/example/client/app/app.go
index 9b43b8d..99aba3d 100644
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@@ -99,6 +99,10 @@ func main() {
 
 	// for demonstration purposes the returned userinfo response is written as JSON object onto response
 	marshalUserinfo := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, rp rp.RelyingParty, info *oidc.UserInfo) {
+		fmt.Println("access token", tokens.AccessToken)
+		fmt.Println("refresh token", tokens.RefreshToken)
+		fmt.Println("id token", tokens.IDToken)
+
 		data, err := json.Marshal(info)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
diff --git a/pkg/oidc/introspection.go b/pkg/oidc/introspection.go
index 8313dc4..1a200eb 100644
--- a/pkg/oidc/introspection.go
+++ b/pkg/oidc/introspection.go
@@ -16,18 +16,21 @@ type ClientAssertionParams struct {
 // https://www.rfc-editor.org/rfc/rfc7662.html#section-2.2.
 // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.
 type IntrospectionResponse struct {
-	Active     bool                `json:"active"`
-	Scope      SpaceDelimitedArray `json:"scope,omitempty"`
-	ClientID   string              `json:"client_id,omitempty"`
-	TokenType  string              `json:"token_type,omitempty"`
-	Expiration Time                `json:"exp,omitempty"`
-	IssuedAt   Time                `json:"iat,omitempty"`
-	NotBefore  Time                `json:"nbf,omitempty"`
-	Subject    string              `json:"sub,omitempty"`
-	Audience   Audience            `json:"aud,omitempty"`
-	Issuer     string              `json:"iss,omitempty"`
-	JWTID      string              `json:"jti,omitempty"`
-	Username   string              `json:"username,omitempty"`
+	Active                          bool                `json:"active"`
+	Scope                           SpaceDelimitedArray `json:"scope,omitempty"`
+	ClientID                        string              `json:"client_id,omitempty"`
+	TokenType                       string              `json:"token_type,omitempty"`
+	Expiration                      Time                `json:"exp,omitempty"`
+	IssuedAt                        Time                `json:"iat,omitempty"`
+	AuthTime                        Time                `json:"auth_time,omitempty"`
+	NotBefore                       Time                `json:"nbf,omitempty"`
+	Subject                         string              `json:"sub,omitempty"`
+	Audience                        Audience            `json:"aud,omitempty"`
+	AuthenticationMethodsReferences []string            `json:"amr,omitempty"`
+	Issuer                          string              `json:"iss,omitempty"`
+	JWTID                           string              `json:"jti,omitempty"`
+	Username                        string              `json:"username,omitempty"`
+	Actor                           *ActorClaims        `json:"act,omitempty"`
 	UserInfoProfile
 	UserInfoEmail
 	UserInfoPhone

From 910f55ea7bae83ec053de8218eeed6f65da46212 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 26 Mar 2024 07:15:38 +0100
Subject: [PATCH 2/2] chore(deps): bump actions/add-to-project from 0.6.0 to
 0.6.1 (#572)

Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](https://github.com/actions/add-to-project/compare/v0.6.0...v0.6.1)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/issue.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml
index a2b56eb..1138d78 100644
--- a/.github/workflows/issue.yml
+++ b/.github/workflows/issue.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: add issue
-        uses: actions/add-to-project@v0.6.0
+        uses: actions/add-to-project@v0.6.1
         if: ${{ github.event_name == 'issues' }}
         with:
           # You can target a repository in a different organization
@@ -28,7 +28,7 @@ jobs:
          username: ${{ github.actor }}
          GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
       - name: add pr
-        uses: actions/add-to-project@v0.6.0
+        uses: actions/add-to-project@v0.6.1
         if: ${{ github.event_name == 'pull_request_target' && github.actor != 'dependabot[bot]' && !contains(steps.checkUserMember.outputs.teams, 'engineers')}}
         with:
           # You can target a repository in a different organization