Parse scope in structured access token.

jaredhanson · Feb 24, 2014 · 89bbed5 · 89bbed5
1 parent 6222985
commit 89bbed5
Showing 1 changed file with 19 additions and 5 deletions.
diff --git a/lib/decode/sat.js b/lib/decode/sat.js
@@ -34,18 +34,19 @@ module.exports = function(options, keying) {
     }
     opts = opts || {};
 
+    var aliases = audience;
+    if (opts.audience) {
+      aliases = audience.concat(opts.audience);
+    }
+
+
     // Decode the JWT so the header and payload are available, as they contain
     // fields needed to find the corresponding key.  Note that at this point, the
     // assertion has not actually been verified.  It will be verified later, after
     // the keying material has been retrieved.
     var token = jws.decode(data, { json: true });
     if (!token) { return cb(); }
 
-    var aliases = audience;
-    if (opts.audience) {
-      aliases = audience.concat(opts.audience);
-    }
-
     var header = token.header
       , payload = token.payload;
 
@@ -89,6 +90,19 @@ module.exports = function(options, keying) {
       claims.audience = aud;
       claims.expiresAt = moment.unix(payload.exp).toDate();
       if (payload.azp) { claims.authorizedPresenter = payload.azp; }
+      if (payload.scope) {
+        // NOTE: "scope" is not defined as a claim by the SAT specification.
+        //       However, it is widely needed when making authorization
+        //       decisions, and is parsed here as a convienience.  The parsing
+        //       is in accordance with established industry conventions, as set
+        //       by Google, IETF drafts, and others.
+        //
+        // References:
+        //   - https://developers.google.com/accounts/docs/OAuth2ServiceAccount
+        //   - http://tools.ietf.org/html/draft-richer-oauth-introspection-04
+
+        claims.scope = payload.scope.split(' ');
+      }
 
       return cb(null, claims);
     }