fix(jans-auth-server): put in access_token and id_token jwt only expl… · JanssenProject/jans@a19d82d (original) (raw)

`@@ -42,6 +42,7 @@

42

`import jakarta.enterprise.context.ApplicationScoped;

43

`import jakarta.inject.Inject;

44

`import jakarta.inject.Named;

45

import org.apache.commons.lang3.BooleanUtils;

45

46

`import org.apache.commons.lang3.StringUtils;

46

47

`import org.apache.logging.log4j.util.Strings;

47

48

`import org.json.JSONObject;

`@@ -218,9 +219,9 @@ private void fillClaims(JsonWebResponse jwr,

218

219

` }

219

220

`jwr.setClaim(JwtClaimName.JANS_OPENID_CONNECT_VERSION, appConfiguration.getJansOpenIdConnectVersion());

220

221

User user = authorizationGrant.getUser();

222

`List dynamicScopes = new ArrayList<>();

223

`if (executionContext.isIncludeIdTokenClaims() && client.isIncludeClaimsInIdToken()) {

224

User user = authorizationGrant.getUser();

224

225

`for (String scopeName : executionContext.getScopes()) {

225

226

`Scope scope = scopeService.getScopeById(scopeName);

226

227

`if (scope == null) {

`@@ -269,10 +270,11 @@ private void fillClaims(JsonWebResponse jwr,

269

270

271

`jwr.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));

271

272

` }

273

+

274

setClaimsFromJwtAuthorizationRequest(jwr, authorizationGrant, executionContext.getScopes());

275

setClaimsFromRequestedClaims(executionContext.getClaimsAsString(), jwr, user, client, executionContext.getScopes());

272

276

` }

273

277

274

setClaimsFromJwtAuthorizationRequest(jwr, authorizationGrant, executionContext.getScopes());

275

setClaimsFromRequestedClaims(executionContext.getClaimsAsString(), jwr, user);

276

278

`filterClaimsBasedOnAccessToken(jwr, accessToken, authorizationCode);

277

279

`jwrService.setSubjectIdentifier(jwr, authorizationGrant);

278

280

`@@ -329,8 +331,13 @@ private void filterClaimsBasedOnAccessToken(JsonWebResponse jwr, AccessToken acc

329

331

` * @param jwr Json that contains all claims that should go in id_token.

330

332

` * @param user Authenticated user.

331

333

` */

332

private void setClaimsFromRequestedClaims(String requestedClaims, JsonWebResponse jwr, User user)

334

private void setClaimsFromRequestedClaims(String requestedClaims, JsonWebResponse jwr, User user, Client client, Collection scopes)

333

335

`throws InvalidClaimException {

336

+

337

if (BooleanUtils.isFalse(appConfiguration.getIncludeRequestedClaimsInIdToken())) {

338

return;

339

}

340

+

334

341

`if (requestedClaims != null) {

335

342

`JSONObject claimsObj = new JSONObject(requestedClaims);

336

343

`if (claimsObj.has("id_token")) {

`@@ -339,10 +346,11 @@ private void setClaimsFromRequestedClaims(String requestedClaims, JsonWebRespons

339

346

`String claimName = it.next();

340

347

`JansAttribute jansAttribute = attributeService.getByClaimName(claimName);

341

348

342

if (jansAttribute != null) {

349

if (jansAttribute != null && validateRequesteClaim(jansAttribute, client.getClaims(), scopes)) {

343

350

`String ldapClaimName = jansAttribute.getName();

344

351

345

352

`Object attribute = user.getAttribute(ldapClaimName, false, jansAttribute.getOxMultiValuedAttribute());

353

log.trace("setClaimsFromRequestedClaims - put in id_token requested claim {}", claimName);

346

354

347

355

`if (attribute instanceof List) {

348

356

`jwr.getClaims().setClaim(claimName, (List) attribute);

`@@ -390,6 +398,8 @@ private void setClaimsFromJwtAuthorizationRequest(JsonWebResponse jwr, IAuthoriz

390

398

`if (validateRequesteClaim(jansAttribute, client.getClaims(), scopes)) {

391

399

`String ldapClaimName = jansAttribute.getName();

392

400

`Object attribute = authorizationGrant.getUser().getAttribute(ldapClaimName, optional, jansAttribute.getOxMultiValuedAttribute());

401

+

402

log.trace("setClaimsFromJwtAuthorizationRequest - put in id_token requested claim {}", claim.getName());

393

403

`jwr.getClaims().setClaimFromJsonObject(claim.getName(), attribute);

394

404

` }

395

405

` }