Merge pull request #25 from dmmike/master

feature - add non-default claims to request automatically

CHANGELOG.md

@@ -12,8 +12,11 @@ Please check the [Upgrading Instructions](UPGRADE.md) when upgrading to a newer
 
 ### Added
 - Initiating User Registration via OpenID Connect. (rhertogh)
+- Addition of all extra claims in access token to request. (m.vanderzijden)
 
 ### Changed
+- Altered scope of getRequestOauthClaim function to public. (m.vanderzijden)
+- Centralized JWTConfiguration to Oauth2Module. (m.vanderzijden)
 
 ### Deprecated
 

src/Oauth2Module.php

@@ -13,6 +13,11 @@
 use Defuse\Crypto\Exception\EnvironmentIsBrokenException;
 use GuzzleHttp\Psr7\Response as Psr7Response;
 use GuzzleHttp\Psr7\ServerRequest as Psr7ServerRequest;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Token;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
 use rhertogh\Yii2Oauth2Server\base\Oauth2BaseModule;
@@ -217,6 +222,11 @@ class Oauth2Module extends Oauth2BaseModule implements BootstrapInterface, Defau
         ]
     ];
 
+    /**
+     * Offset of Bearer: in Authorization header
+     */
+    protected const BEARER_TOKEN_OFFSET = 7;
+
     /**
      * @inheritdoc
      */
@@ -1390,6 +1400,18 @@ public function validateAuthenticatedRequest()
 
         $psr7Request = $this->getResourceServer()->validateAuthenticatedRequest($psr7Request);
 
+        $token = substr(Yii::$app->request->headers->get('Authorization'), self::BEARER_TOKEN_OFFSET);
+
+        if ($token) {
+            $claims = $this->getAccessToken($token)->claims();
+
+            foreach ($claims->all() as $claimKey => $claimValue) {
+                if (!$this->isDefaultClaimKey($claimKey)) {
+                    $psr7Request = $psr7Request->withAttribute($claimKey, $claimValue);
+                }
+            }
+        }
+
         $this->_oauthClaims = $psr7Request->getAttributes();
         $this->_oauthClaimsAuthorizationHeader = Yii::$app->request->getHeaders()->get('Authorization');
     }
@@ -1572,4 +1594,51 @@ public function getElaboratedHttpClientErrorsLogLevel()
 
         return $this->httpClientErrorsLogLevel;
     }
+
+
+    public function getJwtConfiguration(): Configuration
+    {
+        // Based on \League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator::initJwtConfiguration().
+        $jwtConfiguration = Configuration::forSymmetricSigner(
+            new Sha256(),
+            InMemory::plainText('empty', 'empty')
+        );
+
+        $publicKey = $this->getPublicKey();
+        $jwtConfiguration->setValidationConstraints(
+            new SignedWith(
+                new Sha256(),
+                InMemory::plainText($publicKey->getKeyContents(), $publicKey->getPassPhrase() ?? '')
+            )
+        );
+
+        return $jwtConfiguration;
+    }
+
+    public function getAccessToken(string $token): Token
+    {
+        $jwtConfiguration = $this->getJwtConfiguration();
+        $accessToken = $jwtConfiguration->parser()->parse($token);
+        $jwtConfiguration->validator()->assert($accessToken, ...$jwtConfiguration->validationConstraints());
+        Yii::debug('Found access token: ' . $token, __METHOD__);
+
+        return $accessToken;
+    }
+
+    protected function isDefaultClaimKey(string $claimKey): bool
+    {
+        return in_array(
+            $claimKey,
+            [
+                'aud',
+                'jti',
+                'iat',
+                'nbf',
+                'exp',
+                'sub',
+                'scopes',
+                'client_id',
+            ]
+        );
+    }
 }

src/controllers/web/server/Oauth2RevokeAction.php

@@ -4,10 +4,6 @@
 
 use Defuse\Crypto\Crypto;
 use Defuse\Crypto\Key;
-use Lcobucci\JWT\Configuration;
-use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Signer\Rsa\Sha256;
-use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use rhertogh\Yii2Oauth2Server\controllers\web\Oauth2ServerController;
 use rhertogh\Yii2Oauth2Server\controllers\web\server\base\Oauth2BaseServerAction;
 use rhertogh\Yii2Oauth2Server\helpers\Oauth2RequestHelper;
@@ -156,24 +152,7 @@ protected function parseTokenAsRefreshToken(Oauth2Module $module, string $token,
     protected function parseTokenAsAccessToken(Oauth2Module $module, string $token, string $tokenTypeHint)
     {
         try {
-            // Based on \League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator::initJwtConfiguration().
-            $jwtConfiguration = Configuration::forSymmetricSigner(
-                new Sha256(),
-                InMemory::plainText('empty', 'empty')
-            );
-
-            $publicKey = $module->getPublicKey();
-            $jwtConfiguration->setValidationConstraints(
-                new SignedWith(
-                    new Sha256(),
-                    InMemory::plainText($publicKey->getKeyContents(), $publicKey->getPassPhrase() ?? '')
-                )
-            );
-
-            $accessToken = $jwtConfiguration->parser()->parse($token);
-            $jwtConfiguration->validator()->assert($accessToken, ...$jwtConfiguration->validationConstraints());
-            Yii::debug('Found access token: ' . $token, __METHOD__);
-            $accessTokenClaims = $accessToken->claims();
+            $accessTokenClaims = $module->getAccessToken($token)->claims();
             $accessTokenIdentifier = $accessTokenClaims->get('jti');
             $clientIdentifier = $accessTokenClaims->get('client_id');