Skip to content

Commit

Permalink
feat(oidc-common): add scope option to oidc jwt
Browse files Browse the repository at this point in the history
In some cases, the jwt passed in a client-credentials
grant flow requires a  claim. This commit introduces
the option
  • Loading branch information
Waldemar Reusch committed Jul 11, 2023
1 parent 80826ec commit 898d378
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import java.time.Duration;
import java.util.Optional;
import java.util.OptionalInt;
import java.util.Set;

import io.quarkus.runtime.annotations.ConfigGroup;
import io.quarkus.runtime.annotations.ConfigItem;
Expand Down Expand Up @@ -306,6 +307,12 @@ public static class Jwt {
@ConfigItem
public Optional<String> signatureAlgorithm = Optional.empty();

/**
* Additional `scope` added to JWT claims.
*/
@ConfigItem
public Optional<Set<String>> scope = Optional.empty();

/**
* JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.
*/
Expand Down Expand Up @@ -368,6 +375,13 @@ public void setKeyFile(String keyFile) {
this.keyFile = Optional.of(keyFile);
}

public Optional<Set<String>> getScope() {
return scope;
}

public void setScope(Set<String> scope) {
this.scope = Optional.of(scope);
}
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import io.quarkus.runtime.util.ClassPathUtils;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.jwt.build.JwtClaimsBuilder;
import io.smallrye.jwt.build.JwtSignatureBuilder;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
Expand Down Expand Up @@ -344,14 +345,20 @@ public static Key clientJwtKey(Credentials creds) {

public static String signJwtWithKey(OidcCommonConfig oidcConfig, String tokenRequestUri, Key key) {
// 'jti' and 'iat' claims are created by default, 'iat' - is set to the current time
JwtSignatureBuilder builder = Jwt
JwtClaimsBuilder claimsBuilder = Jwt
.issuer(oidcConfig.credentials.jwt.issuer.orElse(oidcConfig.clientId.get()))
.subject(oidcConfig.credentials.jwt.subject.orElse(oidcConfig.clientId.get()))
.audience(oidcConfig.credentials.jwt.getAudience().isPresent()
? removeLastPathSeparator(oidcConfig.credentials.jwt.getAudience().get())
: tokenRequestUri)
.expiresIn(oidcConfig.credentials.jwt.lifespan)
.jws();
.expiresIn(oidcConfig.credentials.jwt.lifespan);

oidcConfig.credentials.jwt.scope.ifPresent((scope) -> {
claimsBuilder.claim("scope", String.join(",", scope));
});

JwtSignatureBuilder builder = claimsBuilder.jws();

if (oidcConfig.credentials.jwt.getTokenKeyId().isPresent()) {
builder.keyId(oidcConfig.credentials.jwt.getTokenKeyId().get());
}
Expand Down

0 comments on commit 898d378

Please sign in to comment.