feat(oidc): client id claims (#3150)

Adds the authorized party (azp) and client_id registered claims to ID Tokens.
2022-04-09 16:55:24 +10:00 · 2022-04-09 16:55:24 +10:00 · e7112bfbd6
parent 148ec1e2e0
commit e7112bfbd6
4 changed files with 15 additions and 4 deletions
--- a/docs/configuration/identity-providers/oidc.md
+++ b/docs/configuration/identity-providers/oidc.md
@ -552,7 +552,9 @@ individual user as per the [Subject Identifier Types] specification. Please use
 |    iat    |    number     |       _N/A_        |             The time when the token was issued              |
 |    jti    | string(uuid)  |       _N/A_        |     A JWT Identifier in the form of a [RFC4122] UUID V4     |
 |    amr    | array[string] |       _N/A_        | An [RFC8176] list of authentication method reference values |
-
+|    azp    |    string     |    id (client)     |                    The authorized party                     |
+| client_id |    string     |    id (client)     |                        The client id                        |
+    
 ### groups

 This scope includes the groups the authentication backend reports the user is a member of in the token.
--- a/internal/oidc/discovery.go
+++ b/internal/oidc/discovery.go
@ -32,6 +32,8 @@ func NewOpenIDConnectWellKnownConfiguration(enablePKCEPlainChallenge, pairwise b
 			ClaimsSupported: []string{
 				"amr",
 				"aud",
+				"azp",
+				"client_id",
 				"exp",
 				"iat",
 				"iss",
--- a/internal/oidc/provider_test.go
+++ b/internal/oidc/provider_test.go
@ -170,9 +170,11 @@ func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnow
 	assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "RS256")
 	assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "none")

-	assert.Len(t, disco.ClaimsSupported, 16)
+	assert.Len(t, disco.ClaimsSupported, 18)
 	assert.Contains(t, disco.ClaimsSupported, "amr")
 	assert.Contains(t, disco.ClaimsSupported, "aud")
+	assert.Contains(t, disco.ClaimsSupported, "azp")
+	assert.Contains(t, disco.ClaimsSupported, "client_id")
 	assert.Contains(t, disco.ClaimsSupported, "exp")
 	assert.Contains(t, disco.ClaimsSupported, "iat")
 	assert.Contains(t, disco.ClaimsSupported, "iss")
@ -245,9 +247,11 @@ func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOAuth2WellKnownConfig
 	assert.Contains(t, disco.ResponseTypesSupported, "code token id_token")
 	assert.Contains(t, disco.ResponseTypesSupported, "none")

-	assert.Len(t, disco.ClaimsSupported, 16)
-	assert.Contains(t, disco.ClaimsSupported, "aud")
+	assert.Len(t, disco.ClaimsSupported, 18)
 	assert.Contains(t, disco.ClaimsSupported, "amr")
+	assert.Contains(t, disco.ClaimsSupported, "aud")
+	assert.Contains(t, disco.ClaimsSupported, "azp")
+	assert.Contains(t, disco.ClaimsSupported, "client_id")
 	assert.Contains(t, disco.ClaimsSupported, "exp")
 	assert.Contains(t, disco.ClaimsSupported, "iat")
 	assert.Contains(t, disco.ClaimsSupported, "iss")
--- a/internal/oidc/types.go
+++ b/internal/oidc/types.go
@ -70,6 +70,9 @@ func NewSessionWithAuthorizeRequest(issuer, kid, username string, amr []string,
 		session.Claims.Audience = append(session.Claims.Audience, requester.GetClient().GetID())
 	}

+	session.Claims.Add("azp", session.ClientID)
+	session.Claims.Add("client_id", session.ClientID)
+
 	return session
 }