adds support for additional claims in JWT tokens (#171)

googleapis · Oct 10, 2017 · 548d27d · 548d27d
1 parent 1d66066
commit 548d27d
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/src/Middleware/ScopedAccessTokenMiddleware.php b/src/Middleware/ScopedAccessTokenMiddleware.php
@@ -113,7 +113,7 @@ public function __construct(
      *   $client = new Client([
      *       'handler' => $stack,
      *       'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
-     *       'auth' => 'google_auth' // authorize all requests
+     *       'auth' => 'scoped' // authorize all requests
      *   ]);
      *
      *   $res = $client->get('myproject/taskqueues/myqueue');

diff --git a/src/OAuth2.php b/src/OAuth2.php
@@ -238,6 +238,12 @@ class OAuth2 implements FetchAuthTokenInterface
      */
     private $extensionParams;
 
+    /**
+     * When using the toJwt function, these claims will be added to the JWT
+     * payload.
+     */
+    private $additionalClaims;
+
     /**
      * Create a new OAuthCredentials.
      *
@@ -322,6 +328,7 @@ public function __construct(array $config)
             'signingKey' => null,
             'signingAlgorithm' => null,
             'scope' => null,
+            'additionalClaims' => [],
         ], $config);
 
         $this->setAuthorizationUri($opts['authorizationUri']);
@@ -340,6 +347,7 @@ public function __construct(array $config)
         $this->setSigningAlgorithm($opts['signingAlgorithm']);
         $this->setScope($opts['scope']);
         $this->setExtensionParams($opts['extensionParams']);
+        $this->setAdditionalClaims($opts['additionalClaims']);
         $this->updateToken($opts);
     }
 
@@ -413,6 +421,7 @@ public function toJwt(array $config = [])
         if (!(is_null($this->getSub()))) {
             $assertion['sub'] = $this->getSub();
         }
+        $assertion += $this->getAdditionalClaims();
 
         return $this->jwtEncode($assertion, $this->getSigningKey(),
             $this->getSigningAlgorithm());
@@ -1212,6 +1221,26 @@ public function setRefreshToken($refreshToken)
         $this->refreshToken = $refreshToken;
     }
 
+    /**
+     * Sets additional claims to be included in the JWT token
+     *
+     * @param array $additionalClaims
+     */
+    public function setAdditionalClaims(array $additionalClaims)
+    {
+        $this->additionalClaims = $additionalClaims;
+    }
+
+    /**
+     * Gets the additional claims to be included in the JWT token.
+     *
+     * @return array
+     */
+    public function getAdditionalClaims()
+    {
+        return $this->additionalClaims;
+    }
+
     /**
      * The expiration of the last received token.
      *

diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
@@ -454,6 +454,21 @@ public function testCanRS256EncodeAValidPayload()
         $this->assertEquals($roundTrip->scope, $testConfig['scope']);
     }
 
+    public function testCanHaveAdditionalClaims()
+    {
+        $publicKey = file_get_contents(__DIR__ . '/fixtures' . '/public.pem');
+        $privateKey = file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
+        $testConfig = $this->signingMinimal;
+        $targetAud = '[email protected]';
+        $testConfig['additionalClaims'] = ['target_audience' => $targetAud];
+        $o = new OAuth2($testConfig);
+        $o->setSigningAlgorithm('RS256');
+        $o->setSigningKey($privateKey);
+        $payload = $o->toJwt();
+        $roundTrip = $this->jwtDecode($payload, $publicKey, array('RS256'));
+        $this->assertEquals($roundTrip->target_audience, $targetAud);
+    }
+
     private function jwtDecode()
     {
         $args = func_get_args();