From de9ee8962a31865672d5ae6d4af3a7bf45cecd1d Mon Sep 17 00:00:00 2001
From: Gao Sun <gao@silverhand.io>
Date: Wed, 3 Jul 2024 14:40:42 +0800
Subject: [PATCH] fix(core): issue `organization_id` claim for client
 credentials (#6170)

---
 packages/core/src/oidc/extra-token-claims.ts                  | 4 +++-
 .../src/tests/api/oidc/client-credentials-grant.test.ts       | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/core/src/oidc/extra-token-claims.ts b/packages/core/src/oidc/extra-token-claims.ts
index 01c41b0a646..5ff95e73dd9 100644
--- a/packages/core/src/oidc/extra-token-claims.ts
+++ b/packages/core/src/oidc/extra-token-claims.ts
@@ -34,7 +34,9 @@ export const getExtraTokenClaimsForOrganizationApiResource = async (
     return;
   }
 
-  const isAccessToken = token instanceof ctx.oidc.provider.AccessToken;
+  const isAccessToken =
+    token instanceof ctx.oidc.provider.AccessToken ||
+    token instanceof ctx.oidc.provider.ClientCredentials;
 
   // Only handle access tokens
   if (!isAccessToken) {
diff --git a/packages/integration-tests/src/tests/api/oidc/client-credentials-grant.test.ts b/packages/integration-tests/src/tests/api/oidc/client-credentials-grant.test.ts
index 530862136f7..6cda291ca49 100644
--- a/packages/integration-tests/src/tests/api/oidc/client-credentials-grant.test.ts
+++ b/packages/integration-tests/src/tests/api/oidc/client-credentials-grant.test.ts
@@ -244,6 +244,7 @@ describe('client credentials grant', () => {
       expect(returnedScope).toBe(`${scope1.name} ${scope2.name}`);
 
       const verified = await jwtVerify(accessToken, jwkSet, { audience: resource.indicator });
+      expect(verified.payload.organization_id).toBe(organization.id);
       expect(verified.payload.scope).toBe(`${scope1.name} ${scope2.name}`);
     });
 
@@ -271,6 +272,7 @@ describe('client credentials grant', () => {
       expect(returnedScope1).toBe(scope1.name);
 
       const verified1 = await jwtVerify(accessToken1, jwkSet, { audience: resource.indicator });
+      expect(verified1.payload.organization_id).toBe(organization.id);
       expect(verified1.payload.scope).toBe(scope1.name);
 
       const { access_token: accessToken2, scope: returnedScope2 } = await post({
@@ -281,6 +283,7 @@ describe('client credentials grant', () => {
       expect(returnedScope2).toBe(undefined);
 
       const verified2 = await jwtVerify(accessToken2, jwkSet, { audience: resource.indicator });
+      expect(verified1.payload.organization_id).toBe(organization.id);
       expect(verified2.payload.scope).toBe(undefined);
     });
   });