feat(oidc): client id claims (#3150)

Adds the authorized party (azp) and client_id registered claims to ID Tokens.
This commit is contained in:
James Elliott 2022-04-09 16:55:24 +10:00 committed by GitHub
parent 148ec1e2e0
commit e7112bfbd6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 4 deletions

View File

@ -552,7 +552,9 @@ individual user as per the [Subject Identifier Types] specification. Please use
| iat | number | _N/A_ | The time when the token was issued | | iat | number | _N/A_ | The time when the token was issued |
| jti | string(uuid) | _N/A_ | A JWT Identifier in the form of a [RFC4122] UUID V4 | | jti | string(uuid) | _N/A_ | A JWT Identifier in the form of a [RFC4122] UUID V4 |
| amr | array[string] | _N/A_ | An [RFC8176] list of authentication method reference values | | amr | array[string] | _N/A_ | An [RFC8176] list of authentication method reference values |
| azp | string | id (client) | The authorized party |
| client_id | string | id (client) | The client id |
### groups ### groups
This scope includes the groups the authentication backend reports the user is a member of in the token. This scope includes the groups the authentication backend reports the user is a member of in the token.

View File

@ -32,6 +32,8 @@ func NewOpenIDConnectWellKnownConfiguration(enablePKCEPlainChallenge, pairwise b
ClaimsSupported: []string{ ClaimsSupported: []string{
"amr", "amr",
"aud", "aud",
"azp",
"client_id",
"exp", "exp",
"iat", "iat",
"iss", "iss",

View File

@ -170,9 +170,11 @@ func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnow
assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "RS256") assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "RS256")
assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "none") assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "none")
assert.Len(t, disco.ClaimsSupported, 16) assert.Len(t, disco.ClaimsSupported, 18)
assert.Contains(t, disco.ClaimsSupported, "amr") assert.Contains(t, disco.ClaimsSupported, "amr")
assert.Contains(t, disco.ClaimsSupported, "aud") assert.Contains(t, disco.ClaimsSupported, "aud")
assert.Contains(t, disco.ClaimsSupported, "azp")
assert.Contains(t, disco.ClaimsSupported, "client_id")
assert.Contains(t, disco.ClaimsSupported, "exp") assert.Contains(t, disco.ClaimsSupported, "exp")
assert.Contains(t, disco.ClaimsSupported, "iat") assert.Contains(t, disco.ClaimsSupported, "iat")
assert.Contains(t, disco.ClaimsSupported, "iss") assert.Contains(t, disco.ClaimsSupported, "iss")
@ -245,9 +247,11 @@ func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOAuth2WellKnownConfig
assert.Contains(t, disco.ResponseTypesSupported, "code token id_token") assert.Contains(t, disco.ResponseTypesSupported, "code token id_token")
assert.Contains(t, disco.ResponseTypesSupported, "none") assert.Contains(t, disco.ResponseTypesSupported, "none")
assert.Len(t, disco.ClaimsSupported, 16) assert.Len(t, disco.ClaimsSupported, 18)
assert.Contains(t, disco.ClaimsSupported, "aud")
assert.Contains(t, disco.ClaimsSupported, "amr") assert.Contains(t, disco.ClaimsSupported, "amr")
assert.Contains(t, disco.ClaimsSupported, "aud")
assert.Contains(t, disco.ClaimsSupported, "azp")
assert.Contains(t, disco.ClaimsSupported, "client_id")
assert.Contains(t, disco.ClaimsSupported, "exp") assert.Contains(t, disco.ClaimsSupported, "exp")
assert.Contains(t, disco.ClaimsSupported, "iat") assert.Contains(t, disco.ClaimsSupported, "iat")
assert.Contains(t, disco.ClaimsSupported, "iss") assert.Contains(t, disco.ClaimsSupported, "iss")

View File

@ -70,6 +70,9 @@ func NewSessionWithAuthorizeRequest(issuer, kid, username string, amr []string,
session.Claims.Audience = append(session.Claims.Audience, requester.GetClient().GetID()) session.Claims.Audience = append(session.Claims.Audience, requester.GetClient().GetID())
} }
session.Claims.Add("azp", session.ClientID)
session.Claims.Add("client_id", session.ClientID)
return session return session
} }