bshaffer · bshaffer · Sep 16, 2014 · Sep 16, 2014
diff --git a/src/OAuth2/ResponseType/JwtAccessToken.php b/src/OAuth2/ResponseType/JwtAccessToken.php
@@ -29,6 +29,7 @@ public function __construct(PublicKeyInterface $publicKeyStorage = null, AccessT
         $this->publicKeyStorage = $publicKeyStorage;
         $config = array_merge(array(
             'store_encrypted_token_string' => true,
+            'issuer' => ''
         ), $config);
         if (is_null($tokenStorage)) {
             // a pass-thru, so we can call the parent constructor
@@ -62,9 +63,11 @@ public function createAccessToken($client_id, $user_id, $scope = null, $includeR
         $expires = time() + $this->config['access_lifetime'];
         $jwtAccessToken = array(
             'id'         => $this->generateAccessToken(),
-            'client_id'  => $client_id,
-            'user_id'    => $user_id,
-            'expires'    => $expires,
+            'iss'        => $this->config['issuer'],
+            'aud'        => $client_id,
+            'sub'        => $user_id,
+            'exp'        => $expires,
+            'iat'        => time(),
             'token_type' => $this->config['token_type'],
             'scope'      => $scope
         );

diff --git a/src/OAuth2/Storage/JwtAccessToken.php b/src/OAuth2/Storage/JwtAccessToken.php
@@ -39,7 +39,7 @@ public function getAccessToken($oauth_token)
             return false;
         }
 
-        $client_id  = isset($tokenData['client_id']) ? $tokenData['client_id'] : null;
+        $client_id  = isset($tokenData['aud']) ? $tokenData['aud'] : null;
         $public_key = $this->publicKeyStorage->getPublicKey($client_id);
         $algorithm  = $this->publicKeyStorage->getEncryptionAlgorithm($client_id);
 
@@ -48,7 +48,8 @@ public function getAccessToken($oauth_token)
             return false;
         }
 
-        return $tokenData;
+        // normalize the JWT claims to the format expected by other components in this library
+        return $this->convertJwtToOAuth2($tokenData);
     }
 
     public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null)
@@ -57,4 +58,23 @@ public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $sc
             return $this->tokenStorage->setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope);
         }
     }
+
+    // converts a JWT access token into an OAuth2-friendly format
+    protected function convertJwtToOAuth2($tokenData)
+    {
+        $keyMapping = array(
+            'aud' => 'client_id',
+            'exp' => 'expires',
+            'sub' => 'user_id'
+        );
+
+        foreach ($keyMapping as $jwtKey => $oauth2Key) {
+            if (isset($tokenData[$jwtKey])) {
+                $tokenData[$oauth2Key] = $tokenData[$jwtKey];
+                unset($tokenData[$jwtKey]);                
+            }
+        }
+
+        return $tokenData;
+    }
 }
diff --git a/test/OAuth2/ResponseType/JwtAccessTokenTest.php b/test/OAuth2/ResponseType/JwtAccessTokenTest.php
@@ -10,9 +10,34 @@
 use OAuth2\GrantType\ClientCredentials;
 use OAuth2\GrantType\UserCredentials;
 use OAuth2\GrantType\RefreshToken;
+use OAuth2\Encryption\Jwt;
 
 class JwtAccessTokenTest extends \PHPUnit_Framework_TestCase
 {
+    public function testCreateAccessToken()
+    {
+        $server = $this->getTestServer();
+        $jwtResponseType = $server->getResponseType('token');
+
+        $accessToken = $jwtResponseType->createAccessToken('Test Client ID', 123, 'test', false);
+        $jwt = new Jwt;
+        $decodedAccessToken = $jwt->decode($accessToken['access_token'], null, false);
+
+        $this->assertArrayHasKey('id', $decodedAccessToken);
+        $this->assertArrayHasKey('iss', $decodedAccessToken);
+        $this->assertArrayHasKey('aud', $decodedAccessToken);
+        $this->assertArrayHasKey('exp', $decodedAccessToken);
+        $this->assertArrayHasKey('iat', $decodedAccessToken);
+        $this->assertArrayHasKey('token_type', $decodedAccessToken);
+        $this->assertArrayHasKey('scope', $decodedAccessToken);
+
+        $this->assertEquals('https://api.example.com', $decodedAccessToken['iss']);
+        $this->assertEquals('Test Client ID', $decodedAccessToken['aud']);
+        $this->assertEquals(123, $decodedAccessToken['sub']);
+        $delta = $decodedAccessToken['exp'] - $decodedAccessToken['iat'];
+        $this->assertEquals(3600, $delta);
+    }
+
     public function testGrantJwtAccessToken()
     {
         // add the test parameters in memory
@@ -125,7 +150,8 @@ private function getTestServer()
         $server->addGrantType(new ClientCredentials($memoryStorage));
 
         // make the "token" response type a JwtAccessToken
-        $server->addResponseType(new JwtAccessToken($memoryStorage, $memoryStorage));
+        $config = array('issuer' => 'https://api.example.com');
+        $server->addResponseType(new JwtAccessToken($memoryStorage, $memoryStorage, null, $config));
 
         return $server;
     }