OIDC: extract claims from JWT access token

pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/OidcProfileCreator.java

@@ -3,8 +3,13 @@
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.JWTParser;
 import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.openid.connect.sdk.*;
+import com.nimbusds.openid.connect.sdk.Nonce;
+import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoRequest;
+import com.nimbusds.openid.connect.sdk.UserInfoResponse;
+import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.credentials.Credentials;
@@ -69,6 +74,7 @@ public Optional<UserProfile> create(final Credentials cred, final WebContext con
         profile.setAccessToken(accessToken);
         final var idToken = credentials.getIdToken();
         profile.setIdTokenString(idToken.getParsedString());
+        profile.setAccessToken(accessToken);
         // Check if there is a refresh token
         final var refreshToken = credentials.getRefreshToken();
         if (refreshToken != null && !refreshToken.getValue().isEmpty()) {
@@ -96,12 +102,12 @@ public Optional<UserProfile> create(final Credentials cred, final WebContext con
                 configuration.configureHttpRequest(userInfoHttpRequest);
                 final var httpResponse = userInfoHttpRequest.send();
                 logger.debug("User info response: status={}, content={}", httpResponse.getStatusCode(),
-                        httpResponse.getContent());
+                    httpResponse.getContent());
 
                 final var userInfoResponse = UserInfoResponse.parse(httpResponse);
                 if (userInfoResponse instanceof UserInfoErrorResponse) {
                     logger.error("Bad User Info response, error={}",
-                            ((UserInfoErrorResponse) userInfoResponse).getErrorObject());
+                        ((UserInfoErrorResponse) userInfoResponse).getErrorObject());
                 } else {
                     final var userInfoSuccessResponse = (UserInfoSuccessResponse) userInfoResponse;
                     final JWTClaimsSet userInfoClaimsSet;
@@ -128,6 +134,8 @@ public Optional<UserProfile> create(final Credentials cred, final WebContext con
                 }
             }
 
+            collectClaimsFromAccessTokenIfAny(credentials, nonce, profile);
+
             // session expiration with token behavior
             profile.setTokenExpirationAdvance(configuration.getTokenExpirationAdvance());
 
@@ -143,4 +151,25 @@ public Optional<UserProfile> create(final Credentials cred, final WebContext con
             throw new TechnicalException(e);
         }
     }
+
+    private void collectClaimsFromAccessTokenIfAny(final OidcCredentials credentials,
+                                                   final Nonce nonce, OidcProfile profile) {
+        try {
+            var accessTokenJwt = JWTParser.parse(credentials.getAccessToken().getValue());
+            var accessTokenClaims = configuration.findTokenValidator().validate(accessTokenJwt, nonce);
+
+            // add attributes of the access token if they don't already exist
+            for (final var entry : accessTokenClaims.toJWTClaimsSet().getClaims().entrySet()) {
+                final var key = entry.getKey();
+                final var value = entry.getValue();
+                if (!JwtClaims.SUBJECT.equals(key) && profile.getAttribute(key) == null) {
+                    getProfileDefinition().convertAndAdd(profile, PROFILE_ATTRIBUTE, key, value);
+                }
+            }
+        } catch (final ParseException | JOSEException | BadJOSEException e) {
+            logger.debug(e.getMessage(), e);
+        } catch (final Exception e) {
+            throw new TechnicalException(e);
+        }
+    }
 }