feat(oidc): add actor claim to introspection response (#570)

With impersonation we assign an actor claim to our JWT/ID Tokens. This change adds the actor claim to the introspection response to follow suit. This PR also adds the `auth_time` and `amr` claims for consistency.
2024-03-18 12:36:16 +02:00 · 2024-03-18 12:36:16 +02:00 · 56397f88d5
commit 56397f88d5
parent 4d63d68c9e
2 changed files with 19 additions and 12 deletions
--- a/pkg/oidc/introspection.go
+++ b/pkg/oidc/introspection.go
@ -16,18 +16,21 @@ type ClientAssertionParams struct {
 // https://www.rfc-editor.org/rfc/rfc7662.html#section-2.2.
 // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.
 type IntrospectionResponse struct {
-	Active     bool                `json:"active"`
-	Scope      SpaceDelimitedArray `json:"scope,omitempty"`
-	ClientID   string              `json:"client_id,omitempty"`
-	TokenType  string              `json:"token_type,omitempty"`
-	Expiration Time                `json:"exp,omitempty"`
-	IssuedAt   Time                `json:"iat,omitempty"`
-	NotBefore  Time                `json:"nbf,omitempty"`
-	Subject    string              `json:"sub,omitempty"`
-	Audience   Audience            `json:"aud,omitempty"`
-	Issuer     string              `json:"iss,omitempty"`
-	JWTID      string              `json:"jti,omitempty"`
-	Username   string              `json:"username,omitempty"`
+	Active                          bool                `json:"active"`
+	Scope                           SpaceDelimitedArray `json:"scope,omitempty"`
+	ClientID                        string              `json:"client_id,omitempty"`
+	TokenType                       string              `json:"token_type,omitempty"`
+	Expiration                      Time                `json:"exp,omitempty"`
+	IssuedAt                        Time                `json:"iat,omitempty"`
+	AuthTime                        Time                `json:"auth_time,omitempty"`
+	NotBefore                       Time                `json:"nbf,omitempty"`
+	Subject                         string              `json:"sub,omitempty"`
+	Audience                        Audience            `json:"aud,omitempty"`
+	AuthenticationMethodsReferences []string            `json:"amr,omitempty"`
+	Issuer                          string              `json:"iss,omitempty"`
+	JWTID                           string              `json:"jti,omitempty"`
+	Username                        string              `json:"username,omitempty"`
+	Actor                           *ActorClaims        `json:"act,omitempty"`
 	UserInfoProfile
 	UserInfoEmail
 	UserInfoPhone