support delegation/impersonation token exchange requests

[havetisyan]

Description

one of the last changes for #3100

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates OAuth 2.0 Token Exchange capabilities, allowing principals to request tokens on behalf of other principals (impersonation) or to delegate their authority (delegation). The changes span client-side request building, core token object enhancements for new claims, and extensive server-side logic to process, validate, and authorize these complex token exchange scenarios, ensuring secure and flexible access management.

Highlights

• OAuth 2.0 Token Exchange Support: Introduced comprehensive support for OAuth 2.0 Token Exchange, enabling both delegation and impersonation workflows within the system.
• Actor and May Act Claims: Enhanced AccessToken and OAuth2Token classes to properly handle and validate act (actor) and may_act (may act on behalf of) claims, which are central to delegation and impersonation.
• Multiple OAuth2 Issuers: Modified the token configuration to support a set of valid OAuth2 issuers, providing greater flexibility and compatibility.
• Client-Side Actor Specification: Updated the OAuthTokenRequestBuilder and the zts-accesstoken.go utility to allow clients to specify an actor in token exchange requests.
• Server-Side Logic for Delegation/Impersonation: Implemented distinct server-side processing for impersonation (subject token only) and delegation (subject token with actor token) requests, including robust validation and authorization checks.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant new functionality by adding support for delegation and impersonation token exchange requests, aligning with RFC 8693. The changes are well-implemented across OAuthToken, AccessToken, and ZTSImpl. The refactoring to support multiple issuers using a predicate is a clean approach. The core logic for handling impersonation and delegation, including the construction of the act claim, appears correct and robust. The accompanying tests are thorough, covering both success and failure scenarios for the new features. I have a couple of minor suggestions to enhance code clarity and maintainability.