From e7112bfbd640b1fc45b36f6296faac7d475bc119 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 9 Apr 2022 16:55:24 +1000 Subject: [PATCH] feat(oidc): client id claims (#3150) Adds the authorized party (azp) and client_id registered claims to ID Tokens. --- docs/configuration/identity-providers/oidc.md | 4 +++- internal/oidc/discovery.go | 2 ++ internal/oidc/provider_test.go | 10 +++++++--- internal/oidc/types.go | 3 +++ 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/configuration/identity-providers/oidc.md b/docs/configuration/identity-providers/oidc.md index 65fa3ba0e..eda2af788 100644 --- a/docs/configuration/identity-providers/oidc.md +++ b/docs/configuration/identity-providers/oidc.md @@ -552,7 +552,9 @@ individual user as per the [Subject Identifier Types] specification. Please use | iat | number | _N/A_ | The time when the token was issued | | jti | string(uuid) | _N/A_ | A JWT Identifier in the form of a [RFC4122] UUID V4 | | amr | array[string] | _N/A_ | An [RFC8176] list of authentication method reference values | - +| azp | string | id (client) | The authorized party | +| client_id | string | id (client) | The client id | + ### groups This scope includes the groups the authentication backend reports the user is a member of in the token. diff --git a/internal/oidc/discovery.go b/internal/oidc/discovery.go index 730da07f9..145c0da8b 100644 --- a/internal/oidc/discovery.go +++ b/internal/oidc/discovery.go @@ -32,6 +32,8 @@ func NewOpenIDConnectWellKnownConfiguration(enablePKCEPlainChallenge, pairwise b ClaimsSupported: []string{ "amr", "aud", + "azp", + "client_id", "exp", "iat", "iss", diff --git a/internal/oidc/provider_test.go b/internal/oidc/provider_test.go index e06b05552..f67a73797 100644 --- a/internal/oidc/provider_test.go +++ b/internal/oidc/provider_test.go @@ -170,9 +170,11 @@ func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnow assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "RS256") assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "none") - assert.Len(t, disco.ClaimsSupported, 16) + assert.Len(t, disco.ClaimsSupported, 18) assert.Contains(t, disco.ClaimsSupported, "amr") assert.Contains(t, disco.ClaimsSupported, "aud") + assert.Contains(t, disco.ClaimsSupported, "azp") + assert.Contains(t, disco.ClaimsSupported, "client_id") assert.Contains(t, disco.ClaimsSupported, "exp") assert.Contains(t, disco.ClaimsSupported, "iat") assert.Contains(t, disco.ClaimsSupported, "iss") @@ -245,9 +247,11 @@ func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOAuth2WellKnownConfig assert.Contains(t, disco.ResponseTypesSupported, "code token id_token") assert.Contains(t, disco.ResponseTypesSupported, "none") - assert.Len(t, disco.ClaimsSupported, 16) - assert.Contains(t, disco.ClaimsSupported, "aud") + assert.Len(t, disco.ClaimsSupported, 18) assert.Contains(t, disco.ClaimsSupported, "amr") + assert.Contains(t, disco.ClaimsSupported, "aud") + assert.Contains(t, disco.ClaimsSupported, "azp") + assert.Contains(t, disco.ClaimsSupported, "client_id") assert.Contains(t, disco.ClaimsSupported, "exp") assert.Contains(t, disco.ClaimsSupported, "iat") assert.Contains(t, disco.ClaimsSupported, "iss") diff --git a/internal/oidc/types.go b/internal/oidc/types.go index 43a79a3ec..a5a26c5e1 100644 --- a/internal/oidc/types.go +++ b/internal/oidc/types.go @@ -70,6 +70,9 @@ func NewSessionWithAuthorizeRequest(issuer, kid, username string, amr []string, session.Claims.Audience = append(session.Claims.Audience, requester.GetClient().GetID()) } + session.Claims.Add("azp", session.ClientID) + session.Claims.Add("client_id", session.ClientID) + return session }