diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php index bab8919f6..abebbecfc 100644 --- a/src/AuthorizationValidators/BearerTokenValidator.php +++ b/src/AuthorizationValidators/BearerTokenValidator.php @@ -118,7 +118,8 @@ public function validateAuthorization(ServerRequestInterface $request) ->withAttribute('oauth_access_token_id', $claims->get('jti')) ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud'))) ->withAttribute('oauth_user_id', $claims->get('sub')) - ->withAttribute('oauth_scopes', $claims->get('scopes')); + ->withAttribute('oauth_scopes', $claims->get('scopes')) + ->withAttribute('oauth_custom_claims', $this->extractCustomClaims($claims->all())); } /** @@ -132,4 +133,16 @@ private function convertSingleRecordAudToString($aud) { return \is_array($aud) && \count($aud) === 1 ? $aud[0] : $aud; } + + /** + * Extract custom claims + * + * @param array $claims + * + * @return array + */ + private function extractCustomClaims($claims) + { + return \array_diff_key($claims, \array_flip(['jti', 'aud', 'sub', 'scopes', 'iat', 'nbf', 'exp'])); + } } diff --git a/tests/AuthorizationValidators/BearerTokenValidatorTest.php b/tests/AuthorizationValidators/BearerTokenValidatorTest.php index 17319bda4..f58f976d6 100644 --- a/tests/AuthorizationValidators/BearerTokenValidatorTest.php +++ b/tests/AuthorizationValidators/BearerTokenValidatorTest.php @@ -34,6 +34,8 @@ public function testBearerTokenValidatorAcceptsValidToken() ->expiresAt((new DateTimeImmutable())->add(new DateInterval('PT1H'))) ->relatedTo('user-id') ->withClaim('scopes', 'scope1 scope2 scope3 scope4') + ->withClaim('attr1', 'value') + ->withClaim('attr2', 42) ->getToken(new Sha256(), LocalFileReference::file(__DIR__ . '/../Stubs/private.key')); $request = (new ServerRequest())->withHeader('authorization', \sprintf('Bearer %s', $validJwt->toString())); @@ -41,6 +43,12 @@ public function testBearerTokenValidatorAcceptsValidToken() $validRequest = $bearerTokenValidator->validateAuthorization($request); $this->assertArrayHasKey('authorization', $validRequest->getHeaders()); + + $this->assertEquals('token-id', $validRequest->getAttribute('oauth_access_token_id')); + $this->assertEquals('client-id', $validRequest->getAttribute('oauth_client_id')); + $this->assertEquals('user-id', $validRequest->getAttribute('oauth_user_id')); + $this->assertEquals('scope1 scope2 scope3 scope4', $validRequest->getAttribute('oauth_scopes')); + $this->assertEquals(['attr1' => 'value', 'attr2' => 42], $validRequest->getAttribute('oauth_custom_claims')); } public function testBearerTokenValidatorRejectsExpiredToken()