Private claims implementation

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
 - The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
 - An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
+- Ability to set custom claims on a JWT (PR #1122)
 
 ### Added
 - Add a `getRedirectUri` function to the `OAuthServerException` class (PR #1123)

src/AuthorizationServer.php

@@ -16,6 +16,7 @@
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -69,6 +70,11 @@ class AuthorizationServer implements EmitterAwareInterface
  */
  private $scopeRepository;
 
+ /**
+ * @var null|ClaimRepositoryInterface
+ */
+ private $claimRepository;
+
  /**
  * @var string|Key
  */
@@ -88,18 +94,21 @@ class AuthorizationServer implements EmitterAwareInterface
  * @param CryptKeyInterface|string $privateKey
  * @param string|Key $encryptionKey
  * @param null|ResponseTypeInterface $responseType
+ * @param null|ClaimRepositoryInterface $claimRepository
  */
  public function __construct(
  ClientRepositoryInterface $clientRepository,
  AccessTokenRepositoryInterface $accessTokenRepository,
  ScopeRepositoryInterface $scopeRepository,
  $privateKey,
  $encryptionKey,
- ResponseTypeInterface $responseType = null
+ ResponseTypeInterface $responseType = null,
+ ClaimRepositoryInterface $claimRepository = null
  ) {
  $this->clientRepository = $clientRepository;
  $this->accessTokenRepository = $accessTokenRepository;
  $this->scopeRepository = $scopeRepository;
+ $this->claimRepository = $claimRepository;
 
  if ($privateKey instanceof CryptKeyInterface === false) {
  $privateKey = new CryptKey($privateKey);
@@ -132,6 +141,7 @@ public function enableGrantType(GrantTypeInterface $grantType, DateInterval $acc
  $grantType->setAccessTokenRepository($this->accessTokenRepository);
  $grantType->setClientRepository($this->clientRepository);
  $grantType->setScopeRepository($this->scopeRepository);
+ $grantType->setClaimRepository($this->claimRepository);
  $grantType->setDefaultScope($this->defaultScope);
  $grantType->setPrivateKey($this->privateKey);
  $grantType->setEmitter($this->getEmitter());

src/Entities/ClaimEntityInterface.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * @author Sebastian Kroczek <[email protected]>
+ * @copyright Copyright (c) Alex Bilbie
+ * @license http://mit-license.org/
+ *
+ * @link https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface ClaimEntityInterface
+{
+ /**
+ * Get the claim's name.
+ *
+ * @return string
+ */
+ public function getName();
+
+ /**
+ * Get the claim's value
+ *
+ * @return mixed
+ */
+ public function getValue();
+}

src/Entities/Traits/AccessTokenTrait.php

@@ -15,6 +15,7 @@
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Token;
 use League\OAuth2\Server\CryptKeyInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -42,13 +43,20 @@ public function setPrivateKey(CryptKeyInterface $privateKey)
  */
  private function convertToJWT(CryptKeyInterface $privateKey)
  {
- return (new Builder())
-  ->permittedFor($this->getClient()->getIdentifier())
+ $builder = new Builder();
+ $builder->permittedFor($this->getClient()->getIdentifier())
  ->identifiedBy($this->getIdentifier())
  ->issuedAt(\time())
  ->canOnlyBeUsedAfter(\time())
  ->expiresAt($this->getExpiryDateTime()->getTimestamp())
- ->relatedTo((string) $this->getUserIdentifier())
+ ->relatedTo((string) $this->getUserIdentifier());
+
+ foreach ($this->getClaims() as $claim) {
+ $builder->withClaim($claim->getName(), $claim->getValue());
+ }
+
+ return $builder
+ // Set scope claim late to prevent it from being overridden.
  ->withClaim('scopes', $this->getScopes())
  ->getToken(new Sha256(), new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase()));
  }
@@ -81,6 +89,11 @@ abstract public function getUserIdentifier();
  */
  abstract public function getScopes();
 
+ /**
+ * @return ClaimEntityInterface[]
+ */
+ abstract public function getClaims();
+
  /**
  * @return string
  */

src/Entities/Traits/ClaimEntityTrait.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * @author Sebastian Kroczek <[email protected]>
+ * @copyright Copyright (c) Alex Bilbie
+ * @license http://mit-license.org/
+ *
+ * @link https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ClaimEntityTrait
+{
+ /**
+ * @var string
+ */
+ protected $name;
+
+ /**
+ * @var mixed
+ */
+ protected $value;
+
+ /**
+ * Returns the name of the claim
+ *
+ * @return string
+ */
+ public function getName()
+ {
+ return $this->name;
+ }
+
+ /**
+ * Returns the claims value
+ *
+ * @return mixed
+ */
+ public function getValue()
+ {
+ return $this->value;
+ }
+}

src/Entities/Traits/TokenEntityTrait.php

@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Entities\Traits;
 
 use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -20,6 +21,11 @@ trait TokenEntityTrait
  */
  protected $scopes = [];
 
+ /**
+ * @var ClaimEntityInterface[]
+ */
+ protected $claims = [];
+
  /**
  * @var DateTimeImmutable
  */
@@ -55,6 +61,26 @@ public function getScopes()
  return \array_values($this->scopes);
  }
 
+ /**
+ * Associate a claim with the token.
+ *
+ * @param ClaimEntityInterface $claim
+ */
+ public function addClaim(ClaimEntityInterface $claim)
+ {
+ $this->claims[] = $claim;
+ }
+
+ /**
+ * Return an array of claims associated with the token.
+ *
+ * @return ClaimEntityInterface[]
+ */
+ public function getClaims()
+ {
+ return $this->claims;
+ }
+
  /**
  * Get the token's expiry date time.
  *

src/Grant/AbstractGrant.php

@@ -19,13 +19,15 @@
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
@@ -62,6 +64,12 @@ abstract class AbstractGrant implements GrantTypeInterface
  */
  protected $scopeRepository;
 
+ /**
+ * @var null|ClaimRepositoryInterface
+ */
+ protected $claimRepository;
+
+
  /**
  * @var AuthCodeRepositoryInterface
  */
@@ -116,6 +124,14 @@ public function setScopeRepository(ScopeRepositoryInterface $scopeRepository)
  $this->scopeRepository = $scopeRepository;
  }
 
+ /**
+ * @param ClaimRepositoryInterface $claimRepository
+ */
+ public function setClaimRepository(?ClaimRepositoryInterface $claimRepository)
+ {
+ $this->claimRepository = $claimRepository;
+ }
+
  /**
  * @param RefreshTokenRepositoryInterface $refreshTokenRepository
  */
@@ -418,6 +434,7 @@ protected function getServerParameter($parameter, ServerRequestInterface $reques
  * @param ClientEntityInterface $client
  * @param string|null $userIdentifier
  * @param ScopeEntityInterface[] $scopes
+ * @param ClaimEntityInterface[] $claims
  *
  * @throws OAuthServerException
  * @throws UniqueTokenIdentifierConstraintViolationException
@@ -428,14 +445,21 @@ protected function issueAccessToken(
  DateInterval $accessTokenTTL,
  ClientEntityInterface $client,
  $userIdentifier,
- array $scopes = []
+ array $scopes = [],
+ array $claims = []
  ) {
  $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
  $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
  $accessToken->setExpiryDateTime((new DateTimeImmutable())->add($accessTokenTTL));
  $accessToken->setPrivateKey($this->privateKey);
 
+ if (\method_exists($accessToken, 'addClaim')) {
+ foreach ($claims as $claim) {
+ $accessToken->addClaim($claim);
+ }
+ }
+
  while ($maxGenerationAttempts-- > 0) {
  $accessToken->setIdentifier($this->generateUniqueIdentifier());
  try {

src/Grant/AuthCodeGrant.php

@@ -161,8 +161,18 @@ public function respondToAccessTokenRequest(
  }
  }
 
+ $privateClaims = [];
+
+ if ($this->claimRepository !== null) {
+ $privateClaims = $this->claimRepository->getClaims(
+ $this->getIdentifier(),
+ $client,
+ $authCodePayload->user_id
+ );
+ }
+
  // Issue and persist new access token
- $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+ $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes, $privateClaims);
  $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
  $responseType->setAccessToken($accessToken);
 

src/Grant/ClientCredentialsGrant.php

@@ -48,8 +48,14 @@ public function respondToAccessTokenRequest(
  // Finalize the requested scopes
  $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
 
+ $privateClaims = [];
+
+ if ($this->claimRepository !== null) {
+ $privateClaims = $this->claimRepository->getClaims($this->getIdentifier(), $client);
+ }
+
  // Issue and persist access token
- $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
+ $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes, $privateClaims);
 
  // Send event to emitter
  $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));

src/Grant/GrantTypeInterface.php

@@ -16,6 +16,7 @@
 use League\Event\EmitterAwareInterface;
 use League\OAuth2\Server\CryptKeyInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -121,6 +122,13 @@ public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessT
  */
  public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
 
+ /**
+ * Set the claim repository.
+ *
+ * @param ClaimRepositoryInterface $claimRepository
+ */
+ public function setClaimRepository(?ClaimRepositoryInterface $claimRepository);
+
  /**
  * Set the default scope.
  *

src/Grant/ImplicitGrant.php

@@ -186,11 +186,22 @@ public function completeAuthorizationRequest(AuthorizationRequestInterface $auth
  $authorizationRequest->getUser()->getIdentifier()
  );
 
+ $privateClaims = [];
+
+ if ($this->claimRepository !== null) {
+ $privateClaims = $this->claimRepository->getClaims(
+ $this->getIdentifier(),
+ $authorizationRequest->getClient(),
+ $authorizationRequest->getUser()->getIdentifier()
+ );
+ }
+
  $accessToken = $this->issueAccessToken(
  $this->accessTokenTTL,
  $authorizationRequest->getClient(),
  $authorizationRequest->getUser()->getIdentifier(),
- $finalizedScopes
+ $finalizedScopes,
+ $privateClaims
  );
 
  $response = new RedirectResponse();