Proposed changes in this pull request

OAuthConstants.java

• Introduced constants for delegation-related property keys: ACTOR_AZP, IS_DELEGATION_REQUEST, ACTOR_SUBJECT, EXISTING_ACT_CLAIM, and DELEGATING_ACTOR

OAuthAuthzReqMessageContext.java

• Added audiences field with getter and setter to support explicit audience specification in authorization requests

AbstractAuthorizationGrantHandler.java

• In updateMessageContextToCreateNewToken(), default audiences are only set when not already specified by the grant handler (prevents overwriting explicitly requested audiences)
• In getAccessTokenExtendedAttributes(), persists DELEGATING_ACTOR as an extended token attribute when the request is a delegation request — enables downstream propagation (e.g. refresh token flow, session-bound revocation)

OAuthTokenReqMessageContext.java

• Added isDelegationRequest boolean field with isDelegationRequest() getter and setDelegationRequest() setter to distinguish delegation flows from impersonation flows

AuthorizationCodeGrantHandler.java

• Extracts azp and act claims from the actor token during token exchange
• Sets delegation context properties (IS_DELEGATION_REQUEST, ACTOR_SUBJECT, ACTOR_AZP, EXISTING_ACT_CLAIM) on the token request context to drive act claim construction in the JWT issuer
• Existing act claim from the actor token is preserved for chained delegation nesting

JWTTokenIssuer.java

• Added explicit audience override in both buildJWTToken() overloads — when audiences are already set on the context, they take precedence over the OIDC default audience
• Added act claim construction for delegation requests:
  • Builds act claim with sub (actor subject) and optionally azp (actor authorized party)
  • Supports chained/nested delegation — when an existing act claim is present in the actor token, it is nested inside the new act claim
  • Regular self-delegation (no existing act claim) does not add any act claim
  • Impersonation continues to use may_act in the subject token — unaffected

AccessTokenIssuer.java

• Added diagnostic logging for delegation flows, recording delegating_actor in the audit log alongside the existing impersonation logging

RefreshGrantHandler.java

• Renamed propagateImpersonationInfo() to propagateActorInfo() to handle both impersonation and delegation flows
• On refresh token grant, reads DELEGATING_ACTOR from the stored extended attributes and propagates it back into the token request context so that refreshed tokens carry the correct act claim

TokenBindingExpiryEventHandler.java

• Added validateDelegatingActorInitiatedRevocation() — session-bound token revocation is now also triggered when the delegating actor terminates their session, mirroring the existing behaviour for impersonating actors

DelegatedAccessTokenClaimProvider.java (new)

• New JWTAccessTokenClaimProvider implementation for the delegation flow
• Returns an act claim containing the sub of the delegating actor when isDelegationRequest is true and DELEGATING_ACTOR is set

Sample delegated access token (chained delegation):

{
  "sub": "11111111-2222-3333-4444-555555555555",
  "aut": "APPLICATION_USER",
  "iss": "https://example.com/oauth2/token",
  "client_id": "client_ABC123XYZ",
  "aud": [
    "client_ABC123XYZ",
    "aud_service_READ_001",
    "aud_service_WRITE_002"
  ],
  "nbf": 1770000000,
  "act": {
    "sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
    "act": {
      "sub": "ffffffff-1111-2222-3333-444444444444",
      "azp": "client_ABC123XYZ"
    },
    "azp": "client_ABC123ABC"
  },
  "azp": "client_ABC123ABC",
  "org_id": "org_00112233",
  "scope": "booking:read",
  "exp": 1770003600,
  "org_name": "ExampleOrg",
  "iat": 1770000000,
  "jti": "jwtid_9f8e7d6c5b4a",
  "org_handle": "example.org"
}

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

Checklist (for reviewing)

General

• Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
• Is the PR labeled correctly?

Functionality

• Are all requirements met? Compare implemented functionality with the requirements specification.
• Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases that are not handled.

Code

• Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
• Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
• Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

• Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
• If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won’t regress. Make sure that the tests break without the new code to fix the issue.
• If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

• Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
• Are all UI and API inputs run through forms or serializers?
• Are all external inputs validated and sanitized appropriately?
• Does all branching logic have a default case?
• Does this solution handle outliers and edge cases gracefully?
• Are all external communications secured and restricted to SSL?

Documentation

• Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes should be documented.
• Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented.
• Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

Summary by CodeRabbit

• New Features
  • Actor-token delegation across OAuth flows: issued tokens include an act claim (supports nested/chained delegation) and azp metadata when available; delegating-actor info is recorded for revocation and diagnostic messages. Authorization requests can carry explicit audiences that are preserved into issued tokens.
• Tests
  • Added unit tests covering audience preservation, delegation act-claim scenarios, claim provider behavior, and delegation propagation.