diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java index d60c4f8f95579..46bbc1d539296 100644 --- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java +++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java @@ -4,6 +4,7 @@ import java.time.Duration; import java.util.Optional; import java.util.OptionalInt; +import java.util.Set; import io.quarkus.runtime.annotations.ConfigGroup; import io.quarkus.runtime.annotations.ConfigItem; @@ -306,6 +307,12 @@ public static class Jwt { @ConfigItem public Optional signatureAlgorithm = Optional.empty(); + /** + * Additional `scope` added to JWT claims. + */ + @ConfigItem + public Optional> scope = Optional.empty(); + /** * JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time. */ @@ -368,6 +375,13 @@ public void setKeyFile(String keyFile) { this.keyFile = Optional.of(keyFile); } + public Optional> getScope() { + return scope; + } + + public void setScope(Set scope) { + this.scope = Optional.of(scope); + } } /** diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java index 7ddcf22aee201..e1ed23c10d0cb 100644 --- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java +++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java @@ -35,6 +35,7 @@ import io.quarkus.runtime.util.ClassPathUtils; import io.smallrye.jwt.algorithm.SignatureAlgorithm; import io.smallrye.jwt.build.Jwt; +import io.smallrye.jwt.build.JwtClaimsBuilder; import io.smallrye.jwt.build.JwtSignatureBuilder; import io.smallrye.jwt.util.KeyUtils; import io.smallrye.jwt.util.ResourceUtils; @@ -344,14 +345,20 @@ public static Key clientJwtKey(Credentials creds) { public static String signJwtWithKey(OidcCommonConfig oidcConfig, String tokenRequestUri, Key key) { // 'jti' and 'iat' claims are created by default, 'iat' - is set to the current time - JwtSignatureBuilder builder = Jwt + JwtClaimsBuilder claimsBuilder = Jwt .issuer(oidcConfig.credentials.jwt.issuer.orElse(oidcConfig.clientId.get())) .subject(oidcConfig.credentials.jwt.subject.orElse(oidcConfig.clientId.get())) .audience(oidcConfig.credentials.jwt.getAudience().isPresent() ? removeLastPathSeparator(oidcConfig.credentials.jwt.getAudience().get()) : tokenRequestUri) - .expiresIn(oidcConfig.credentials.jwt.lifespan) - .jws(); + .expiresIn(oidcConfig.credentials.jwt.lifespan); + + oidcConfig.credentials.jwt.scope.ifPresent((scope) -> { + claimsBuilder.claim("scope", String.join(",", scope)); + }); + + JwtSignatureBuilder builder = claimsBuilder.jws(); + if (oidcConfig.credentials.jwt.getTokenKeyId().isPresent()) { builder.keyId(oidcConfig.credentials.jwt.getTokenKeyId().get()); }