add more details to the #findById() result #claim() call to allow for fine grain tuning of returned claims

Author: panva

docs/configuration.md

@@ -870,11 +870,18 @@ affects: authorization, authorization_code and refresh_token grants, id token cl
 default value:
 ```js
 async findById(ctx, id, token) {
-  // token is a reference to the token used for which a given account is being loaded,
-  // is undefined in scenarios where claims are returned from authorization endpoint
+  // "token" is a reference to the token used for which a given account is being loaded,
+  //   is undefined in scenarios where claims are returned from authorization endpoint
   return {
     accountId: id,
-    async claims() { return { sub: id }; },
+    async claims(use, scope) {
+      // "use" can either be "id_token" or "userinfo", depending on where the specific claims are
+      //   intended to be put in
+      // "scope" is the intended scope, while oidc-provider will mask claims depending on the
+      //   scope automatically you might want to skip loading some claims from external resources
+      //   etc. based on this detail or not return them in id tokens but only userinfo and so on.
+      return { sub: id };
+    },
   };
 }
 ```
@@ -1112,7 +1119,7 @@ default value:
 
 ### routes
 
-Routing values used by the OP  
+Routing values used by the OP. Only provide routes starting with "/"  
 affects: routing  
 
 default value:

lib/actions/authorization/process_response_types.js

@@ -53,11 +53,15 @@ module.exports = (provider) => {
   }
 
   async function idTokenHandler(ctx) {
-    const token = new IdToken(Object.assign({}, await ctx.oidc.account.claims(), {
-      acr: ctx.oidc.acr,
-      amr: ctx.oidc.amr,
-      auth_time: ctx.oidc.session.authTime(),
-    }), ctx.oidc.client.sectorIdentifier);
+    const token = new IdToken(Object.assign(
+      {},
+      await ctx.oidc.account.claims('id_token', ctx.oidc.params.scope),
+      {
+        acr: ctx.oidc.acr,
+        amr: ctx.oidc.amr,
+        auth_time: ctx.oidc.session.authTime(),
+      },
+    ), ctx.oidc.client.sectorIdentifier);
 
     token.scope = ctx.oidc.params.scope;
     token.mask = get(ctx.oidc.claims, 'id_token', {});

lib/actions/grants/authorization_code.js

@@ -97,7 +97,7 @@ module.exports.handler = function getAuthorizationCodeHandler(provider) {
       refreshToken = await rt.save();
     }
 
-    const token = new IdToken(Object.assign({}, await account.claims(), {
+    const token = new IdToken(Object.assign({}, await account.claims('id_token', code.scope), {
       acr: code.acr,
       amr: code.amr,
       auth_time: code.authTime,

lib/actions/grants/refresh_token.js

@@ -87,7 +87,7 @@ module.exports.handler = function getRefreshTokenHandler(provider) {
     const accessToken = await at.save();
     const { expiresIn } = AccessToken;
 
-    const token = new IdToken(Object.assign({}, await account.claims(), {
+    const token = new IdToken(Object.assign({}, await account.claims('id_token', at.scope), {
       acr: refreshToken.acr,
       amr: refreshToken.amr,
       auth_time: refreshToken.authTime,

lib/actions/userinfo.js

@@ -118,7 +118,7 @@ module.exports = function userinfoAction(provider) {
       if (client.userinfoSignedResponseAlg || client.userinfoEncryptedResponseAlg) {
         const { IdToken } = provider;
         const token = new IdToken(
-          await ctx.oidc.account.claims(),
+          await ctx.oidc.account.claims('userinfo', scope),
           client.sectorIdentifier,
         );
 
@@ -137,7 +137,7 @@ module.exports = function userinfoAction(provider) {
         ctx.type = 'application/jwt; charset=utf-8';
       } else {
         const mask = new Claims(
-          await ctx.oidc.account.claims(),
+          await ctx.oidc.account.claims('userinfo', scope),
           client.sectorIdentifier,
         );
 

lib/helpers/defaults.js

@@ -178,7 +178,7 @@ const DEFAULTS = {
   /*
    * routes
    *
-   * description: Routing values used by the OP
+   * description: Routing values used by the OP. Only provide routes starting with "/"
    * affects: routing
    */
   routes: {
@@ -450,12 +450,19 @@ const DEFAULTS = {
    * affects: authorization, authorization_code and refresh_token grants, id token claims
    */
   async findById(ctx, id, token) { // eslint-disable-line no-unused-vars
-    // token is a reference to the token used for which a given account is being loaded,
-    // is undefined in scenarios where claims are returned from authorization endpoint
+    // "token" is a reference to the token used for which a given account is being loaded,
+    //   is undefined in scenarios where claims are returned from authorization endpoint
     changeme('findById', 'to use your own account model');
     return {
       accountId: id,
-      async claims() { return { sub: id }; },
+      async claims(use, scope) { // eslint-disable-line no-unused-vars
+        // "use" can either be "id_token" or "userinfo", depending on where the specific claims are
+        //   intended to be put in
+        // "scope" is the intended scope, while oidc-provider will mask claims depending on the
+        //   scope automatically you might want to skip loading some claims from external resources
+        //   etc. based on this detail or not return them in id tokens but only userinfo and so on.
+        return { sub: id };
+      },
     };
   },