From 4d63d68c9e145dd79269130474984e01e8ef6530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Thu, 14 Mar 2024 08:57:44 +0200 Subject: [PATCH] feat(op): allow setting the actor to Token Requests (#569) For impersonation token exchange we need to persist the actor throughout token requests, including refresh token. This PR adds the optional TokenActorRequest interface which allows to pass such actor. --- pkg/op/token.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/op/token.go b/pkg/op/token.go index 19edcce..b45789b 100644 --- a/pkg/op/token.go +++ b/pkg/op/token.go @@ -121,6 +121,10 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) { return crypto.Encrypt(tokenID + ":" + subject) } +type TokenActorRequest interface { + GetActor() *oidc.ActorClaims +} + func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, client AccessTokenClient, storage Storage) (string, error) { ctx, span := tracer.Start(ctx, "CreateJWT") defer span.End() @@ -150,6 +154,9 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex } claims.Claims = privateClaims } + if actorReq, ok := tokenRequest.(TokenActorRequest); ok { + claims.Actor = actorReq.GetActor() + } signingKey, err := storage.SigningKey(ctx) if err != nil { return "", err @@ -181,6 +188,10 @@ func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, v nonce = authRequest.GetNonce() } claims := oidc.NewIDTokenClaims(issuer, request.GetSubject(), request.GetAudience(), exp, request.GetAuthTime(), nonce, acr, request.GetAMR(), request.GetClientID(), client.ClockSkew()) + if actorReq, ok := request.(TokenActorRequest); ok { + claims.Actor = actorReq.GetActor() + } + scopes := client.RestrictAdditionalIdTokenScopes()(request.GetScopes()) signingKey, err := storage.SigningKey(ctx) if err != nil {