Skip to content

jwt: support PrivateClaims in Config #374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

jwt: support PrivateClaims in Config #374

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9dd27cc
Add optional PrivateClaims to jwt.Config
wlhee Mar 8, 2019
8baca54
Test PrivateClaims support in jwt.go.
wlhee Mar 8, 2019
339f364
Support using ID token as the ouath access token.
wlhee Mar 8, 2019
b33c8d1
Updated comments and format.
wlhee Mar 8, 2019
a5a809a
Update docs in jwt.go.
wlhee Apr 14, 2019
ac8ecd8
Returns error when UseIDToken is true but response doesn't have ID to…
wlhee May 17, 2019
7a6e247
Update print format in jwt_test.go.
wlhee May 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions jwt/jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,14 @@ type Config struct {
// request. If empty, the value of TokenURL is used as the
// intended audience.
Audience string

// PrivateClaims optionally specifies custom private claims in the JWT.
// See http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.3
PrivateClaims map[string]interface{}

// UseIDToken optionally specifies whether ID token should be used instead
// of access token when the server returns both.
UseIDToken bool
}

// TokenSource returns a JWT TokenSource using the configuration
Expand Down Expand Up @@ -97,9 +105,10 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
}
hc := oauth2.NewClient(js.ctx, nil)
claimSet := &jws.ClaimSet{
Iss: js.conf.Email,
Scope: strings.Join(js.conf.Scopes, " "),
Aud: js.conf.TokenURL,
Iss: js.conf.Email,
Scope: strings.Join(js.conf.Scopes, " "),
Aud: js.conf.TokenURL,
PrivateClaims: js.conf.PrivateClaims,
}
if subject := js.conf.Subject; subject != "" {
claimSet.Sub = subject
Expand Down Expand Up @@ -166,5 +175,11 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
}
token.Expiry = time.Unix(claimSet.Exp, 0)
}
if js.conf.UseIDToken {
if tokenRes.IDToken == "" {
return nil, fmt.Errorf("oauth2: response doesn't have JWT token")
}
token.AccessToken = tokenRes.IDToken
}
return token, nil
}
23 changes: 23 additions & 0 deletions jwt/jwt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"fmt"
"net/http"
"net/http/httptest"
"reflect"
"strings"
"testing"

Expand Down Expand Up @@ -221,6 +222,16 @@ func TestJWTFetch_AssertionPayload(t *testing.T) {
TokenURL: ts.URL,
Audience: "https://example.com",
},
{
Email: "aaa2@xxx.com",
PrivateKey: dummyPrivateKey,
PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
TokenURL: ts.URL,
PrivateClaims: map[string]interface{}{
"private0": "claim0",
"private1": "claim1",
},
},
} {
t.Run(conf.Email, func(t *testing.T) {
_, err := conf.TokenSource(context.Background()).Token()
Expand Down Expand Up @@ -261,6 +272,18 @@ func TestJWTFetch_AssertionPayload(t *testing.T) {
if got, want := claimSet.Prn, conf.Subject; got != want {
t.Errorf("payload prn = %q; want %q", got, want)
}
if len(conf.PrivateClaims) > 0 {
var got interface{}
if err := json.Unmarshal(gotjson, &got); err != nil {
t.Errorf("failed to parse payload; err = %q", err)
}
m := got.(map[string]interface{})
for v, k := range conf.PrivateClaims {
if !reflect.DeepEqual(m[v], k) {
t.Errorf("payload private claims key = %q: got %#v; want %#v", v, m[v], k)
}
}
}
})
}
}
Expand Down