cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(op): allow setting the actor to Token Requests

Browse source 
For impersonation token exchange we need to persist the actor throughout token requests, including refresh token.
This PR adds the optional TokenActorRequest interface which allows to pass such actor.
This commit is contained in:
Tim Möhlmann 2024-03-14 08:49:18 +02:00
parent ad79802968
commit f0def0feab
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
pkg/op/token.go
View file

@ -118,6 +118,10 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
return crypto.Encrypt(tokenID + ":" + subject) return crypto.Encrypt(tokenID + ":" + subject)
} }
type TokenActorRequest interface {
GetActor() *oidc.ActorClaims
}
func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, client AccessTokenClient, storage Storage) (string, error) { func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, client AccessTokenClient, storage Storage) (string, error) {
ctx, span := tracer.Start(ctx, "CreateJWT") ctx, span := tracer.Start(ctx, "CreateJWT")
defer span.End() defer span.End()
@ -147,6 +151,9 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex
} }
claims.Claims = privateClaims claims.Claims = privateClaims
} }
if actorReq, ok := tokenRequest.(TokenActorRequest); ok {
claims.Actor = actorReq.GetActor()
}
signingKey, err := storage.SigningKey(ctx) signingKey, err := storage.SigningKey(ctx)
if err != nil { if err != nil {
return "", err return "", err
@ -178,6 +185,10 @@ func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, v
nonce = authRequest.GetNonce() nonce = authRequest.GetNonce()
} }
claims := oidc.NewIDTokenClaims(issuer, request.GetSubject(), request.GetAudience(), exp, request.GetAuthTime(), nonce, acr, request.GetAMR(), request.GetClientID(), client.ClockSkew()) claims := oidc.NewIDTokenClaims(issuer, request.GetSubject(), request.GetAudience(), exp, request.GetAuthTime(), nonce, acr, request.GetAMR(), request.GetClientID(), client.ClockSkew())
if actorReq, ok := request.(TokenActorRequest); ok {
claims.Actor = actorReq.GetActor()
}
scopes := client.RestrictAdditionalIdTokenScopes()(request.GetScopes()) scopes := client.RestrictAdditionalIdTokenScopes()(request.GetScopes())
signingKey, err := storage.SigningKey(ctx) signingKey, err := storage.SigningKey(ctx)
if err != nil { if err != nil {