Add pre-issue token action support #2118
Description
Current limitation
Thunder currently issues different tokens without any extension point to inject custom logic before issuance. There is no mechanism to call an external service, validate or modify the token claims or scopes, or block token issuance based on custom business logic.
Suggested improvement
Add support for a pre-issue token action that invokes a configured external service before a token is issued during the OAuth2 flow. The action should:
- Trigger during token issuance across supported grant types (authorization code, client credentials, refresh token)
- Send a structured request to the external service with the token context (grant type, client, user, token claims, scopes, allowed operations)
- Handle the standard response states:
SUCCESS— apply JSON Patch operations (add/replace/remove) to token claims, scopes, audience, and expiryFAILED— block token issuance and return an OAuth2-compliant error to the clientERROR— treat as a server-side failure and return a 500 to the caller
- Support configuring the external endpoint with authentication (basic auth or bearer token)