Private claims implementation

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
 - The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
 - An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
+- Ability to set custom claims on a JWT (PR #1122)
 
 ### Fixed
 - If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an `invalid_grant` error and a HTTP 400 response. In previous versions the server incorrectly issued an `invalid_request` and HTTP 401 response (PR #1042) (PR #1082)

src/AuthorizationServer.php

@@ -16,6 +16,7 @@
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -69,6 +70,11 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     private $scopeRepository;
 
+    /**
+     * @var null|ClaimRepositoryInterface
+     */
+    private $claimRepository;
+
     /**
      * @var string|Key
      */
@@ -93,18 +99,21 @@ class AuthorizationServer implements EmitterAwareInterface
      * @param CryptKeyInterface|string       $privateKey
      * @param string|Key                     $encryptionKey
      * @param null|ResponseTypeInterface     $responseType
+     * @param null|ClaimRepositoryInterface  $claimRepository
      */
     public function __construct(
         ClientRepositoryInterface $clientRepository,
         AccessTokenRepositoryInterface $accessTokenRepository,
         ScopeRepositoryInterface $scopeRepository,
         $privateKey,
         $encryptionKey,
-        ResponseTypeInterface $responseType = null
+        ResponseTypeInterface $responseType = null,
+        ClaimRepositoryInterface $claimRepository = null
     ) {
         $this->clientRepository = $clientRepository;
         $this->accessTokenRepository = $accessTokenRepository;
         $this->scopeRepository = $scopeRepository;
+        $this->claimRepository = $claimRepository;
 
         if ($privateKey instanceof CryptKeyInterface === false) {
             $privateKey = new CryptKey($privateKey);
@@ -137,6 +146,7 @@ public function enableGrantType(GrantTypeInterface $grantType, DateInterval $acc
         $grantType->setAccessTokenRepository($this->accessTokenRepository);
         $grantType->setClientRepository($this->clientRepository);
         $grantType->setScopeRepository($this->scopeRepository);
+        $grantType->setClaimRepository($this->claimRepository);
         $grantType->setDefaultScope($this->defaultScope);
         $grantType->setPrivateKey($this->privateKey);
         $grantType->setEmitter($this->getEmitter());

src/Entities/ClaimEntityInterface.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * @author      Sebastian Kroczek <[email protected]>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface ClaimEntityInterface
+{
+    /**
+     * Get the claim's name.
+     *
+     * @return string
+     */
+    public function getName();
+
+    /**
+     * Get the claim's value
+     *
+     * @return mixed
+     */
+    public function getValue();
+}

src/Entities/Traits/AccessTokenTrait.php

@@ -15,6 +15,7 @@
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Token;
 use League\OAuth2\Server\CryptKeyInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -59,14 +60,20 @@ private function convertToJWT()
     {
         $this->initJwtConfiguration();
 
-        return $this->jwtConfiguration->builder()
-            ->permittedFor($this->getClient()->getIdentifier())
+        $builder = $this->jwtConfiguration->builder();
+
+        $builder->permittedFor($this->getClient()->getIdentifier())
             ->identifiedBy($this->getIdentifier())
             ->issuedAt(new DateTimeImmutable())
             ->canOnlyBeUsedAfter(new DateTimeImmutable())
             ->expiresAt($this->getExpiryDateTime())
-            ->relatedTo((string) $this->getUserIdentifier())
-            ->withClaim('scopes', $this->getScopes())
+            ->relatedTo((string) $this->getUserIdentifier());
+
+        foreach ($this->getClaims() as $claim) {
+            $builder->withClaim($claim->getName(), $claim->getValue());
+        }
+
+        return $builder->withClaim('scopes', $this->getScopes())
             ->getToken($this->jwtConfiguration->signer(), $this->jwtConfiguration->signingKey());
     }
 
@@ -98,6 +105,11 @@ abstract public function getUserIdentifier();
      */
     abstract public function getScopes();
 
+    /**
+     * @return ClaimEntityInterface[]
+     */
+    abstract public function getClaims();
+
     /**
      * @return string
      */

src/Entities/Traits/ClaimEntityTrait.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * @author      Sebastian Kroczek <[email protected]>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ClaimEntityTrait
+{
+    /**
+     * @var string
+     */
+    protected $name;
+
+    /**
+     * @var mixed
+     */
+    protected $value;
+
+    /**
+     * Returns the name of the claim
+     *
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Returns the claims value
+     *
+     * @return mixed
+     */
+    public function getValue()
+    {
+        return $this->value;
+    }
+}

src/Entities/Traits/TokenEntityTrait.php

@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Entities\Traits;
 
 use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -20,6 +21,11 @@ trait TokenEntityTrait
      */
     protected $scopes = [];
 
+    /**
+     * @var ClaimEntityInterface[]
+     */
+    protected $claims = [];
+
     /**
      * @var DateTimeImmutable
      */
@@ -55,6 +61,26 @@ public function getScopes()
         return \array_values($this->scopes);
     }
 
+    /**
+     * Associate a claim with the token.
+     *
+     * @param ClaimEntityInterface $claim
+     */
+    public function addClaim(ClaimEntityInterface $claim)
+    {
+        $this->claims[] = $claim;
+    }
+
+    /**
+     * Return an array of claims associated with the token.
+     *
+     * @return ClaimEntityInterface[]
+     */
+    public function getClaims()
+    {
+        return $this->claims;
+    }
+
     /**
      * Get the token's expiry date time.
      *

src/Grant/AbstractGrant.php

@@ -19,6 +19,7 @@
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
@@ -27,6 +28,7 @@
 use League\OAuth2\Server\RedirectUriValidators\RedirectUriValidator;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
@@ -63,6 +65,12 @@ abstract class AbstractGrant implements GrantTypeInterface
      */
     protected $scopeRepository;
 
+    /**
+     * @var null|ClaimRepositoryInterface
+     */
+    protected $claimRepository;
+
+
     /**
      * @var AuthCodeRepositoryInterface
      */
@@ -122,6 +130,14 @@ public function setScopeRepository(ScopeRepositoryInterface $scopeRepository)
         $this->scopeRepository = $scopeRepository;
     }
 
+    /**
+     * @param ClaimRepositoryInterface $claimRepository
+     */
+    public function setClaimRepository(?ClaimRepositoryInterface $claimRepository)
+    {
+        $this->claimRepository = $claimRepository;
+    }
+
     /**
      * @param RefreshTokenRepositoryInterface $refreshTokenRepository
      */
@@ -440,6 +456,7 @@ protected function getServerParameter($parameter, ServerRequestInterface $reques
      * @param ClientEntityInterface  $client
      * @param string|null            $userIdentifier
      * @param ScopeEntityInterface[] $scopes
+     * @param ClaimEntityInterface[] $claims
      *
      * @throws OAuthServerException
      * @throws UniqueTokenIdentifierConstraintViolationException
@@ -450,14 +467,21 @@ protected function issueAccessToken(
         DateInterval $accessTokenTTL,
         ClientEntityInterface $client,
         $userIdentifier,
-        array $scopes = []
+        array $scopes = [],
+        array $claims = []
     ) {
         $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
         $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
         $accessToken->setExpiryDateTime((new DateTimeImmutable())->add($accessTokenTTL));
         $accessToken->setPrivateKey($this->privateKey);
 
+        if (\method_exists($accessToken, 'addClaim')) {
+            foreach ($claims as $claim) {
+                $accessToken->addClaim($claim);
+            }
+        }
+
         while ($maxGenerationAttempts-- > 0) {
             $accessToken->setIdentifier($this->generateUniqueIdentifier());
             try {

src/Grant/AuthCodeGrant.php

@@ -164,8 +164,18 @@ public function respondToAccessTokenRequest(
             }
         }
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims(
+                $this->getIdentifier(),
+                $client,
+                $authCodePayload->user_id
+            );
+        }
+
         // Issue and persist new access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes, $privateClaims);
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);
 

src/Grant/ClientCredentialsGrant.php

@@ -49,8 +49,14 @@ public function respondToAccessTokenRequest(
         // Finalize the requested scopes
         $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims($this->getIdentifier(), $client);
+        }
+
         // Issue and persist access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes, $privateClaims);
 
         // Send event to emitter
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));

src/Grant/GrantTypeInterface.php

@@ -16,6 +16,7 @@
 use League\Event\EmitterAwareInterface;
 use League\OAuth2\Server\CryptKeyInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -121,6 +122,13 @@ public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessT
      */
     public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
 
+    /**
+     * Set the claim repository.
+     *
+     * @param ClaimRepositoryInterface $claimRepository
+     */
+    public function setClaimRepository(?ClaimRepositoryInterface $claimRepository);
+
     /**
      * Set the default scope.
      *

src/Grant/ImplicitGrant.php

@@ -194,11 +194,22 @@ public function completeAuthorizationRequest(AuthorizationRequestInterface $auth
                 $authorizationRequest->getUser()->getIdentifier()
             );
 
+            $privateClaims = [];
+
+            if ($this->claimRepository !== null) {
+                $privateClaims = $this->claimRepository->getClaims(
+                    $this->getIdentifier(),
+                    $authorizationRequest->getClient(),
+                    $authorizationRequest->getUser()->getIdentifier()
+                );
+            }
+
             $accessToken = $this->issueAccessToken(
                 $this->accessTokenTTL,
                 $authorizationRequest->getClient(),
                 $authorizationRequest->getUser()->getIdentifier(),
-                $finalizedScopes
+                $finalizedScopes,
+                $privateClaims
             );
 
             $response = new RedirectResponse();