feat: use signed JWT as access token

[shendsaliaga]

When trying to setup configure tsidp OIDC in StackGres, I was hitting the following error:

{"type":"io.quarkus.oidc.OIDCException","title":null,"detail":"Opaque access token can not be converted to JsonWebToken","status":null,"fields":[]}

StackGres, which uses Quarkus, expects the Access Token to be a JWT but tsidp was issuing an opaque token (a random hex string).

Tested this out by locally building the image with these changes and adding adding extra claims that StackGres expected:

            "extraClaims": {
              // StackGres requires this claim to map OIDC users to Kubernetes usernames
              "stackgres_k8s_username": "admin"
            }

Warning: Significantly LLM influenced PR and not an expert with OAuth and OIDC

Possibly related:
#38
#44

[dkaser]

Strictly speaking, this is a problem with StackGres -- there's no reason to assume that the access token will be a JWT, and while it's allowable to use a JWT as an access token, the OAuth 2.0 spec actually says (Ref):

The string is usually opaque to the client.

As for the extra claims code that was also added -- there's already support for extra claims (see the example in the README). What makes this different?

[Ovyerus]

Grafana also assumes that the token received from a Generic OAuth provider is a JWT as well, thus it doesn't work with tsidp. Despite the spec, it appears some people will just make assumptions and then have it stick. There's likely a ton more out there with the same problem.

[dkaser]

The other issue here is that the logic is reusing the OIDC ID token as the OAuth access token, which shouldn't be done:

https://oauth.net/id-tokens-vs-access-tokens/

For this application, the correct action would seem to be creating a second, compliant JWT access token:

https://oauth.net/2/jwt-access-tokens/
https://datatracker.ietf.org/doc/html/rfc9068