feat(op): allow setting the actor to Token Requests
For impersonation token exchange we need to persist the actor throughout token requests, including refresh token. This PR adds the optional TokenActorRequest interface which allows to pass such actor.
This commit is contained in:
Tim Möhlmann
parent
ad79802968
commit
f0def0feab
1 changed files with 11 additions and 0 deletions
|
|
@ -118,6 +118,10 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
|
|||
return crypto.Encrypt(tokenID + ":" + subject)
|
||||
}
|
||||
|
||||
type TokenActorRequest interface {
|
||||
GetActor() *oidc.ActorClaims
|
||||
}
|
||||
|
||||
func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, client AccessTokenClient, storage Storage) (string, error) {
|
||||
ctx, span := tracer.Start(ctx, "CreateJWT")
|
||||
defer span.End()
|
||||
|
|
@ -147,6 +151,9 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex
|
|||
}
|
||||
claims.Claims = privateClaims
|
||||
}
|
||||
if actorReq, ok := tokenRequest.(TokenActorRequest); ok {
|
||||
claims.Actor = actorReq.GetActor()
|
||||
}
|
||||
signingKey, err := storage.SigningKey(ctx)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
|
@ -178,6 +185,10 @@ func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, v
|
|||
nonce = authRequest.GetNonce()
|
||||
}
|
||||
claims := oidc.NewIDTokenClaims(issuer, request.GetSubject(), request.GetAudience(), exp, request.GetAuthTime(), nonce, acr, request.GetAMR(), request.GetClientID(), client.ClockSkew())
|
||||
if actorReq, ok := request.(TokenActorRequest); ok {
|
||||
claims.Actor = actorReq.GetActor()
|
||||
}
|
||||
|
||||
scopes := client.RestrictAdditionalIdTokenScopes()(request.GetScopes())
|
||||
signingKey, err := storage.SigningKey(ctx)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue