diff --git a/docs/configuration.md b/docs/configuration.md index 7b84851d3..65c25b99b 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -870,11 +870,18 @@ affects: authorization, authorization_code and refresh_token grants, id token cl default value: ```js async findById(ctx, id, token) { - // token is a reference to the token used for which a given account is being loaded, - // is undefined in scenarios where claims are returned from authorization endpoint + // "token" is a reference to the token used for which a given account is being loaded, + // is undefined in scenarios where claims are returned from authorization endpoint return { accountId: id, - async claims() { return { sub: id }; }, + async claims(use, scope) { + // "use" can either be "id_token" or "userinfo", depending on where the specific claims are + // intended to be put in + // "scope" is the intended scope, while oidc-provider will mask claims depending on the + // scope automatically you might want to skip loading some claims from external resources + // etc. based on this detail or not return them in id tokens but only userinfo and so on. + return { sub: id }; + }, }; } ``` @@ -1112,7 +1119,7 @@ default value: ### routes -Routing values used by the OP +Routing values used by the OP. Only provide routes starting with "/" affects: routing default value: diff --git a/lib/actions/authorization/process_response_types.js b/lib/actions/authorization/process_response_types.js index c6cfc397c..b60787910 100644 --- a/lib/actions/authorization/process_response_types.js +++ b/lib/actions/authorization/process_response_types.js @@ -53,11 +53,15 @@ module.exports = (provider) => { } async function idTokenHandler(ctx) { - const token = new IdToken(Object.assign({}, await ctx.oidc.account.claims(), { - acr: ctx.oidc.acr, - amr: ctx.oidc.amr, - auth_time: ctx.oidc.session.authTime(), - }), ctx.oidc.client.sectorIdentifier); + const token = new IdToken(Object.assign( + {}, + await ctx.oidc.account.claims('id_token', ctx.oidc.params.scope), + { + acr: ctx.oidc.acr, + amr: ctx.oidc.amr, + auth_time: ctx.oidc.session.authTime(), + }, + ), ctx.oidc.client.sectorIdentifier); token.scope = ctx.oidc.params.scope; token.mask = get(ctx.oidc.claims, 'id_token', {}); diff --git a/lib/actions/grants/authorization_code.js b/lib/actions/grants/authorization_code.js index c34b06b54..99783c43b 100644 --- a/lib/actions/grants/authorization_code.js +++ b/lib/actions/grants/authorization_code.js @@ -97,7 +97,7 @@ module.exports.handler = function getAuthorizationCodeHandler(provider) { refreshToken = await rt.save(); } - const token = new IdToken(Object.assign({}, await account.claims(), { + const token = new IdToken(Object.assign({}, await account.claims('id_token', code.scope), { acr: code.acr, amr: code.amr, auth_time: code.authTime, diff --git a/lib/actions/grants/refresh_token.js b/lib/actions/grants/refresh_token.js index 5b288b283..c07af4a7a 100644 --- a/lib/actions/grants/refresh_token.js +++ b/lib/actions/grants/refresh_token.js @@ -87,7 +87,7 @@ module.exports.handler = function getRefreshTokenHandler(provider) { const accessToken = await at.save(); const { expiresIn } = AccessToken; - const token = new IdToken(Object.assign({}, await account.claims(), { + const token = new IdToken(Object.assign({}, await account.claims('id_token', at.scope), { acr: refreshToken.acr, amr: refreshToken.amr, auth_time: refreshToken.authTime, diff --git a/lib/actions/userinfo.js b/lib/actions/userinfo.js index c0580d3d2..5d909e007 100644 --- a/lib/actions/userinfo.js +++ b/lib/actions/userinfo.js @@ -118,7 +118,7 @@ module.exports = function userinfoAction(provider) { if (client.userinfoSignedResponseAlg || client.userinfoEncryptedResponseAlg) { const { IdToken } = provider; const token = new IdToken( - await ctx.oidc.account.claims(), + await ctx.oidc.account.claims('userinfo', scope), client.sectorIdentifier, ); @@ -137,7 +137,7 @@ module.exports = function userinfoAction(provider) { ctx.type = 'application/jwt; charset=utf-8'; } else { const mask = new Claims( - await ctx.oidc.account.claims(), + await ctx.oidc.account.claims('userinfo', scope), client.sectorIdentifier, ); diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index c8e5e4bd9..3afc2c071 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -178,7 +178,7 @@ const DEFAULTS = { /* * routes * - * description: Routing values used by the OP + * description: Routing values used by the OP. Only provide routes starting with "/" * affects: routing */ routes: { @@ -450,12 +450,19 @@ const DEFAULTS = { * affects: authorization, authorization_code and refresh_token grants, id token claims */ async findById(ctx, id, token) { // eslint-disable-line no-unused-vars - // token is a reference to the token used for which a given account is being loaded, - // is undefined in scenarios where claims are returned from authorization endpoint + // "token" is a reference to the token used for which a given account is being loaded, + // is undefined in scenarios where claims are returned from authorization endpoint changeme('findById', 'to use your own account model'); return { accountId: id, - async claims() { return { sub: id }; }, + async claims(use, scope) { // eslint-disable-line no-unused-vars + // "use" can either be "id_token" or "userinfo", depending on where the specific claims are + // intended to be put in + // "scope" is the intended scope, while oidc-provider will mask claims depending on the + // scope automatically you might want to skip loading some claims from external resources + // etc. based on this detail or not return them in id tokens but only userinfo and so on. + return { sub: id }; + }, }; },