Include "additional parameters" into authorization id hash

This change includes the "additional parameters" into the calculation
of the derived authorization id. These parameters typically contain
the "audience" for which an access token is requested. Therefore,
considering these parameters while building the id allows us to
retrieve and store separate access tokens for different purposes /
audiences.

Author: robertlemke

Classes/Authorization.php

@@ -134,11 +134,17 @@ public static function generateAuthorizationIdForAuthorizationCodeGrant(string $
      * @param string $clientId
      * @param string $clientSecret
      * @param string $scope
+     * @param array $additionalParameters
      * @return string
      */
-    public static function generateAuthorizationIdForClientCredentialsGrant(string $serviceName, string $clientId, string $clientSecret, string $scope): string
+    public static function generateAuthorizationIdForClientCredentialsGrant(string $serviceName, string $clientId, string $clientSecret, string $scope, array $additionalParameters = []): string
     {
-        return hash('sha512', $serviceName . $clientId . $clientSecret . $scope . self::GRANT_CLIENT_CREDENTIALS);
+        try {
+            $additionalParametersJson = json_encode($additionalParameters, JSON_THROW_ON_ERROR);
+        } catch (JsonException $e) {
+            $additionalParametersJson = '';
+        }
+        return hash('sha512', $serviceName . $clientId . $clientSecret . $scope . $additionalParametersJson . self::GRANT_CLIENT_CREDENTIALS);
     }
 
     /**

Classes/OAuthClient.php

@@ -226,7 +226,7 @@ public static function generateAuthorizationIdQueryParameterName(string $service
      */
     public function requestAccessToken(string $serviceName, string $clientId, string $clientSecret, string $scope,  array $additionalParameters = []): void
     {
-        $authorizationId = Authorization::generateAuthorizationIdForClientCredentialsGrant($serviceName, $clientId, $clientSecret, $scope);
+        $authorizationId = Authorization::generateAuthorizationIdForClientCredentialsGrant($serviceName, $clientId, $clientSecret, $scope, $additionalParameters);
         $this->logger->info(sprintf('OAuth (%s): Retrieving access token using client credentials grant for client "%s" using a %s bytes long secret. (authorization id: %s)', $this->getServiceType(), $clientId, strlen($clientSecret), $authorizationId));
 
         $existingAuthorization = $this->getAuthorization($authorizationId);

Tests/Unit/AuthorizationTest.php

@@ -152,9 +152,9 @@ public function getAccessTokenFailsOnEncryptedTokenIfKeyWasChanged(): void
     public function generateAuthorizationIdForClientCredentialsGrantReturnsSha1(): void
     {
         $authorizationId = Authorization::generateAuthorizationIdForClientCredentialsGrant(
-            'oidc_test', 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14', 'CMc4EHfyMPLw}Tua%rnyxCnrTWMuX3', 'oidc profile'
+            'oidc_test', 'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14', 'CMc4EHfyMPLw}Tua%rnyxCnrTWMuX3', 'oidc profile', ['audience' => 'https://www.example.com']
         );
-        self::assertSame('bd55b7bc1b40d6342789c74fcc1900877b3966f4656c5d6a1c0a9111a1da02365ba9f00fcb1d058629446f7ec83d02166b0a8c271cbf1374467e7f294bb4b784', $authorizationId);
+        self::assertSame('c2d332337e6765c1f6876fe61c6bc63e98c1d3018ff5b56899ee54a1d1e8b1a5272b9ae9f73dc37429bccec583c3754d52bd8ef4e0f05001aa02a50e24b654a5', $authorizationId);
     }
 
     /**