Private claims implementation

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
 - The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
 - An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
+- Ability to set custom claims on a JWT (PR #1122)
 
 ### Added
 - Add a `getRedirectUri` function to the `OAuthServerException` class (PR #1123)

src/AuthorizationServer.php

@@ -16,6 +16,7 @@
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -69,6 +70,11 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     private $scopeRepository;
 
+    /**
+     * @var null|ClaimRepositoryInterface
+     */
+    private $claimRepository;
+
     /**
      * @var string|Key
      */
@@ -88,18 +94,21 @@ class AuthorizationServer implements EmitterAwareInterface
      * @param CryptKeyInterface|string       $privateKey
      * @param string|Key                     $encryptionKey
      * @param null|ResponseTypeInterface     $responseType
+     * @param null|ClaimRepositoryInterface  $claimRepository
      */
     public function __construct(
         ClientRepositoryInterface $clientRepository,
         AccessTokenRepositoryInterface $accessTokenRepository,
         ScopeRepositoryInterface $scopeRepository,
         $privateKey,
         $encryptionKey,
-        ResponseTypeInterface $responseType = null
+        ResponseTypeInterface $responseType = null,
+        ClaimRepositoryInterface $claimRepository = null
     ) {
         $this->clientRepository = $clientRepository;
         $this->accessTokenRepository = $accessTokenRepository;
         $this->scopeRepository = $scopeRepository;
+        $this->claimRepository = $claimRepository;
 
         if ($privateKey instanceof CryptKeyInterface === false) {
             $privateKey = new CryptKey($privateKey);
@@ -132,6 +141,7 @@ public function enableGrantType(GrantTypeInterface $grantType, DateInterval $acc
         $grantType->setAccessTokenRepository($this->accessTokenRepository);
         $grantType->setClientRepository($this->clientRepository);
         $grantType->setScopeRepository($this->scopeRepository);
+        $grantType->setClaimRepository($this->claimRepository);
         $grantType->setDefaultScope($this->defaultScope);
         $grantType->setPrivateKey($this->privateKey);
         $grantType->setEmitter($this->getEmitter());

src/Entities/ClaimEntityInterface.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * @author      Sebastian Kroczek <[email protected]>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface ClaimEntityInterface
+{
+    /**
+     * Get the claim's name.
+     *
+     * @return string
+     */
+    public function getName();
+
+    /**
+     * Get the claim's value
+     *
+     * @return mixed
+     */
+    public function getValue();
+}

src/Entities/TokenInterface.php

@@ -82,4 +82,18 @@ public function addScope(ScopeEntityInterface $scope);
      * @return ScopeEntityInterface[]
      */
     public function getScopes();
+
+    /**
+     * Associate a claim with the token.
+     *
+     * @param ClaimEntityInterface $claim
+     */
+    public function addClaim(ClaimEntityInterface $claim);
+
+    /**
+     * Return an array of claims associated with the token.
+     *
+     * @return ClaimEntityInterface[]
+     */
+    public function getClaims();
 }

src/Entities/Traits/AccessTokenTrait.php

@@ -15,6 +15,7 @@
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Token;
 use League\OAuth2\Server\CryptKeyInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -42,13 +43,20 @@ public function setPrivateKey(CryptKeyInterface $privateKey)
      */
     private function convertToJWT(CryptKeyInterface $privateKey)
     {
-        return (new Builder())
-            ->permittedFor($this->getClient()->getIdentifier())
+        $builder = new Builder();
+        $builder->permittedFor($this->getClient()->getIdentifier())
             ->identifiedBy($this->getIdentifier())
             ->issuedAt(\time())
             ->canOnlyBeUsedAfter(\time())
             ->expiresAt($this->getExpiryDateTime()->getTimestamp())
-            ->relatedTo((string) $this->getUserIdentifier())
+            ->relatedTo((string) $this->getUserIdentifier());
+
+        foreach ($this->getClaims() as $claim) {
+            $builder->withClaim($claim->getName(), $claim->getValue());
+        }
+
+        return $builder
+            // Set scope claim late to prevent it from being overridden.
             ->withClaim('scopes', $this->getScopes())
             ->getToken(new Sha256(), new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase()));
     }
@@ -81,6 +89,11 @@ abstract public function getUserIdentifier();
      */
     abstract public function getScopes();
 
+    /**
+     * @return ClaimEntityInterface[]
+     */
+    abstract public function getClaims();
+
     /**
      * @return string
      */

src/Entities/Traits/ClaimEntityTrait.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * @author      Sebastian Kroczek <[email protected]>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ClaimEntityTrait
+{
+    /**
+     * @var string
+     */
+    protected $name;
+
+    /**
+     * @var mixed
+     */
+    protected $value;
+
+    /**
+     * Returns the name of the claim
+     *
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Returns the claims value
+     *
+     * @return mixed
+     */
+    public function getValue()
+    {
+        return $this->value;
+    }
+}

src/Entities/Traits/TokenEntityTrait.php

@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Entities\Traits;
 
 use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -20,6 +21,11 @@ trait TokenEntityTrait
      */
     protected $scopes = [];
 
+    /**
+     * @var ClaimEntityInterface[]
+     */
+    protected $claims = [];
+
     /**
      * @var DateTimeImmutable
      */
@@ -55,6 +61,26 @@ public function getScopes()
         return \array_values($this->scopes);
     }
 
+    /**
+     * Associate a claim with the token.
+     *
+     * @param ClaimEntityInterface $claim
+     */
+    public function addClaim(ClaimEntityInterface $claim)
+    {
+        $this->claims[] = $claim;
+    }
+
+    /**
+     * Return an array of claims associated with the token.
+     *
+     * @return ClaimEntityInterface[]
+     */
+    public function getClaims()
+    {
+        return $this->claims;
+    }
+
     /**
      * Get the token's expiry date time.
      *

src/Grant/AbstractGrant.php

@@ -19,13 +19,15 @@
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
@@ -62,6 +64,12 @@ abstract class AbstractGrant implements GrantTypeInterface
      */
     protected $scopeRepository;
 
+    /**
+     * @var null|ClaimRepositoryInterface
+     */
+    protected $claimRepository;
+
+
     /**
      * @var AuthCodeRepositoryInterface
      */
@@ -116,6 +124,14 @@ public function setScopeRepository(ScopeRepositoryInterface $scopeRepository)
         $this->scopeRepository = $scopeRepository;
     }
 
+    /**
+     * @param ClaimRepositoryInterface $claimRepository
+     */
+    public function setClaimRepository(?ClaimRepositoryInterface $claimRepository)
+    {
+        $this->claimRepository = $claimRepository;
+    }
+
     /**
      * @param RefreshTokenRepositoryInterface $refreshTokenRepository
      */
@@ -418,6 +434,7 @@ protected function getServerParameter($parameter, ServerRequestInterface $reques
      * @param ClientEntityInterface  $client
      * @param string|null            $userIdentifier
      * @param ScopeEntityInterface[] $scopes
+     * @param ClaimEntityInterface[] $claims
      *
      * @throws OAuthServerException
      * @throws UniqueTokenIdentifierConstraintViolationException
@@ -428,14 +445,19 @@ protected function issueAccessToken(
         DateInterval $accessTokenTTL,
         ClientEntityInterface $client,
         $userIdentifier,
-        array $scopes = []
+        array $scopes = [],
+        array $claims = []
     ) {
         $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
         $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
         $accessToken->setExpiryDateTime((new DateTimeImmutable())->add($accessTokenTTL));
         $accessToken->setPrivateKey($this->privateKey);
 
+        foreach ($claims as $claim) {
+            $accessToken->addClaim($claim);
+        }
+
         while ($maxGenerationAttempts-- > 0) {
             $accessToken->setIdentifier($this->generateUniqueIdentifier());
             try {

src/Grant/AuthCodeGrant.php

@@ -161,8 +161,18 @@ public function respondToAccessTokenRequest(
             }
         }
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims(
+                $this->getIdentifier(),
+                $client,
+                $authCodePayload->user_id
+            );
+        }
+
         // Issue and persist new access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes, $privateClaims);
         $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
         $responseType->setAccessToken($accessToken);
 

src/Grant/ClientCredentialsGrant.php

@@ -48,8 +48,14 @@ public function respondToAccessTokenRequest(
         // Finalize the requested scopes
         $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims($this->getIdentifier(), $client);
+        }
+
         // Issue and persist access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes, $privateClaims);
 
         // Send event to emitter
         $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));

src/Grant/GrantTypeInterface.php

@@ -16,6 +16,7 @@
 use League\Event\EmitterAwareInterface;
 use League\OAuth2\Server\CryptKeyInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -121,6 +122,13 @@ public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessT
      */
     public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
 
+    /**
+     * Set the claim repository.
+     *
+     * @param ClaimRepositoryInterface $claimRepository
+     */
+    public function setClaimRepository(?ClaimRepositoryInterface $claimRepository);
+
     /**
      * Set the default scope.
      *

src/Grant/ImplicitGrant.php

@@ -186,11 +186,22 @@ public function completeAuthorizationRequest(AuthorizationRequestInterface $auth
                 $authorizationRequest->getUser()->getIdentifier()
             );
 
+            $privateClaims = [];
+
+            if ($this->claimRepository !== null) {
+                $privateClaims = $this->claimRepository->getClaims(
+                    $this->getIdentifier(),
+                    $authorizationRequest->getClient(),
+                    $authorizationRequest->getUser()->getIdentifier()
+                );
+            }
+
             $accessToken = $this->issueAccessToken(
                 $this->accessTokenTTL,
                 $authorizationRequest->getClient(),
                 $authorizationRequest->getUser()->getIdentifier(),
-                $finalizedScopes
+                $finalizedScopes,
+                $privateClaims
             );
 
             $response = new RedirectResponse();