fix: allowed_top_level_claims set to nil (#3245)

ory · Sep 8, 2022 · cd2c252 · cd2c252
1 parent 046b1eb
commit cd2c252
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/oauth2/session.go b/oauth2/session.go
@@ -78,7 +78,9 @@ func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer {
 
 	//setting every allowed claim top level in jwt with respective value
 	for _, allowedClaim := range allowedClaimsFromConfigWithoutReserved {
-		topLevelExtraWithMirrorExt[allowedClaim] = s.Extra[allowedClaim]
+		if cl, ok := s.Extra[allowedClaim]; ok {
+			topLevelExtraWithMirrorExt[allowedClaim] = cl
+		}
 	}
 
 	//for every other claim that was already reserved and for mirroring, add original extra under "ext"

diff --git a/oauth2/session_custom_claims_test.go b/oauth2/session_custom_claims_test.go
@@ -191,6 +191,36 @@ func TestCustomClaimsInSession(t *testing.T) {
 		require.Contains(t, extClaims, "sub")
 		assert.EqualValues(t, "another-alice", extClaims["sub"])
 	})
+	t.Run("unused_config_claims", func(t *testing.T) {
+		c.MustSet(ctx, config.KeyAllowedTopLevelClaims, []string{"foo", "bar"})
+		extra := map[string]interface{}{"foo": "foo_value", "baz": "baz_value", "sub": "another-alice"}
+
+		session := createSessionWithCustomClaims(extra, c.AllowedTopLevelClaims(ctx))
+
+		claims := session.GetJWTClaims().ToMapClaims()
+
+		assert.EqualValues(t, "alice", claims["sub"])
+		assert.NotEqual(t, "another-alice", claims["sub"])
+
+		require.Contains(t, claims, "iss")
+		assert.EqualValues(t, "hydra.localhost", claims["iss"])
+
+		require.Contains(t, claims, "foo")
+		assert.EqualValues(t, "foo_value", claims["foo"])
+
+		assert.NotContains(t, claims, "bar")
+		assert.NotContains(t, claims, "baz")
+
+		require.Contains(t, claims, "ext")
+		extClaims, ok := claims["ext"].(map[string]interface{})
+		require.True(t, ok)
+
+		require.Contains(t, extClaims, "foo")
+		assert.EqualValues(t, "foo_value", extClaims["foo"])
+
+		require.Contains(t, extClaims, "sub")
+		assert.EqualValues(t, "another-alice", extClaims["sub"])
+	})
 	t.Run("config_claims_contain_reserved_claims", func(t *testing.T) {
 		c.MustSet(ctx, config.KeyAllowedTopLevelClaims, []string{"iss", "sub"})
 		extra := map[string]interface{}{"iss": "hydra.remote", "sub": "another-alice"}