From 548d27d670f0236dc5258fa4cdde6e7b63464cfd Mon Sep 17 00:00:00 2001 From: Brent Shaffer Date: Tue, 10 Oct 2017 10:01:45 -0700 Subject: [PATCH] adds support for additional claims in JWT tokens (#171) --- .../ScopedAccessTokenMiddleware.php | 2 +- src/OAuth2.php | 29 +++++++++++++++++++ tests/OAuth2Test.php | 15 ++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/src/Middleware/ScopedAccessTokenMiddleware.php b/src/Middleware/ScopedAccessTokenMiddleware.php index 6ae6046cf..55f04d1b4 100644 --- a/src/Middleware/ScopedAccessTokenMiddleware.php +++ b/src/Middleware/ScopedAccessTokenMiddleware.php @@ -113,7 +113,7 @@ public function __construct( * $client = new Client([ * 'handler' => $stack, * 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/', - * 'auth' => 'google_auth' // authorize all requests + * 'auth' => 'scoped' // authorize all requests * ]); * * $res = $client->get('myproject/taskqueues/myqueue'); diff --git a/src/OAuth2.php b/src/OAuth2.php index d53782396..3dbceebad 100644 --- a/src/OAuth2.php +++ b/src/OAuth2.php @@ -238,6 +238,12 @@ class OAuth2 implements FetchAuthTokenInterface */ private $extensionParams; + /** + * When using the toJwt function, these claims will be added to the JWT + * payload. + */ + private $additionalClaims; + /** * Create a new OAuthCredentials. * @@ -322,6 +328,7 @@ public function __construct(array $config) 'signingKey' => null, 'signingAlgorithm' => null, 'scope' => null, + 'additionalClaims' => [], ], $config); $this->setAuthorizationUri($opts['authorizationUri']); @@ -340,6 +347,7 @@ public function __construct(array $config) $this->setSigningAlgorithm($opts['signingAlgorithm']); $this->setScope($opts['scope']); $this->setExtensionParams($opts['extensionParams']); + $this->setAdditionalClaims($opts['additionalClaims']); $this->updateToken($opts); } @@ -413,6 +421,7 @@ public function toJwt(array $config = []) if (!(is_null($this->getSub()))) { $assertion['sub'] = $this->getSub(); } + $assertion += $this->getAdditionalClaims(); return $this->jwtEncode($assertion, $this->getSigningKey(), $this->getSigningAlgorithm()); @@ -1212,6 +1221,26 @@ public function setRefreshToken($refreshToken) $this->refreshToken = $refreshToken; } + /** + * Sets additional claims to be included in the JWT token + * + * @param array $additionalClaims + */ + public function setAdditionalClaims(array $additionalClaims) + { + $this->additionalClaims = $additionalClaims; + } + + /** + * Gets the additional claims to be included in the JWT token. + * + * @return array + */ + public function getAdditionalClaims() + { + return $this->additionalClaims; + } + /** * The expiration of the last received token. * diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php index 59492986b..0d372e988 100644 --- a/tests/OAuth2Test.php +++ b/tests/OAuth2Test.php @@ -454,6 +454,21 @@ public function testCanRS256EncodeAValidPayload() $this->assertEquals($roundTrip->scope, $testConfig['scope']); } + public function testCanHaveAdditionalClaims() + { + $publicKey = file_get_contents(__DIR__ . '/fixtures' . '/public.pem'); + $privateKey = file_get_contents(__DIR__ . '/fixtures' . '/private.pem'); + $testConfig = $this->signingMinimal; + $targetAud = '123@456.com'; + $testConfig['additionalClaims'] = ['target_audience' => $targetAud]; + $o = new OAuth2($testConfig); + $o->setSigningAlgorithm('RS256'); + $o->setSigningKey($privateKey); + $payload = $o->toJwt(); + $roundTrip = $this->jwtDecode($payload, $publicKey, array('RS256')); + $this->assertEquals($roundTrip->target_audience, $targetAud); + } + private function jwtDecode() { $args = func_get_args();