diff --git a/docs/README.md b/docs/README.md index 7103cda3c..60141c602 100644 --- a/docs/README.md +++ b/docs/README.md @@ -462,7 +462,7 @@ location / { - [cookies](#cookies) - [discovery](#discovery) - [expiresWithSession](#expireswithsession) -- [extraAccessTokenClaims](#extraaccesstokenclaims) +- [extraTokenClaims](#extratokenclaims) - [extraClientMetadata](#extraclientmetadata) - [extraParams](#extraparams) - [formats](#formats) @@ -2152,32 +2152,6 @@ async function expiresWithSession(ctx, token) { } ``` -### extraAccessTokenClaims - -Function used to get additional access token claims when it is being issued. These claims will be available in your storage under property `extra`, returned by introspection as top level claims and pushed into `jwt`, and `jwt-ietf` formatted tokens as top level claims as well. Returned claims may not overwrite other top level claims. - - - -_**default value**_: -```js -async function extraAccessTokenClaims(ctx, token) { - return undefined; -} -``` -
(Click to expand) To push additional claims to an Access Token -
- -```js -{ - extraAccessTokenClaims(ctx, token) { - return { - 'urn:oidc-provider:example:foo': 'bar', - }; - } -} -``` -
- ### extraClientMetadata Allows for custom client metadata to be defined, validated, manipulated as well as for existing property validations to be extended. Existing properties are snakeCased on a Client instance (e.g. `client.redirectUris`), new properties (defined by this configuration) will be avaialable with their names verbatim (e.g. `client['urn:example:client:my-property']`) @@ -2269,6 +2243,32 @@ _**default value**_: [] ``` +### extraTokenClaims + +Function used to get additional access token claims when it is being issued. These claims will be available in your storage under property `extra`, returned by introspection as top level claims and pushed into `jwt`, and `jwt-ietf` formatted tokens as top level claims as well. Returned claims may not overwrite other top level claims. + + + +_**default value**_: +```js +async function extraTokenClaims(ctx, token) { + return undefined; +} +``` +
(Click to expand) To push additional claims to an Access Token +
+ +```js +{ + extraTokenClaims(ctx, token) { + return { + 'urn:oidc-provider:example:foo': 'bar', + }; + } +} +``` +
+ ### formats This option allows to configure the token value format. The different values change how a client-facing token value is generated. @@ -2318,7 +2318,7 @@ Configure `formats`: ### formats.customizers -Functions used before signing a structured Access Token of a given type, such as a JWT one. Customizing here only changes the structured Access Token, not your storage, introspection or anything else. For such extras use [`extraAccessTokenClaims`](#extraaccesstokenclaims) instead. +Functions used before signing a structured Access Token of a given type, such as a JWT one. Customizing here only changes the structured Access Token, not your storage, introspection or anything else. For such extras use [`extraTokenClaims`](#extratokenclaims) instead. diff --git a/example/my_adapter.js b/example/my_adapter.js index 9974dae87..66bcef875 100644 --- a/example/my_adapter.js +++ b/example/my_adapter.js @@ -52,7 +52,7 @@ class MyAdapter { * - authTime {number} - timestamp of the end-user's authentication * - claims {object} - claims parameter (see claims in OIDC Core 1.0), rejected claims * are, in addition, pushed in as an Array of Strings in the `rejected` property. - * - extra {object} - extra claims returned by the extraAccessTokenClaims helper + * - extra {object} - extra claims returned by the extraTokenClaims helper * - codeChallenge {string} - client provided PKCE code_challenge value * - codeChallengeMethod {string} - client provided PKCE code_challenge_method value * - sessionUid {string} - uid of a session this token stems from diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 4db4d5f9b..5c5a7a7fd 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -243,7 +243,7 @@ function webMessageResponseModeScriptNonce(ctx) { // eslint-disable-line no-unus return undefined; } -async function extraAccessTokenClaims(ctx, token) { // eslint-disable-line no-unused-vars +async function extraTokenClaims(ctx, token) { // eslint-disable-line no-unused-vars return undefined; } @@ -1635,7 +1635,7 @@ function getDefaults() { }, /* - * extraAccessTokenClaims + * extraTokenClaims * * description: Function used to get additional access token claims * when it is being issued. These claims will be available in your storage under @@ -1646,7 +1646,7 @@ function getDefaults() { * example: To push additional claims to an Access Token * ```js * { - * extraAccessTokenClaims(ctx, token) { + * extraTokenClaims(ctx, token) { * return { * 'urn:oidc-provider:example:foo': 'bar', * }; @@ -1654,7 +1654,7 @@ function getDefaults() { * } * ``` */ - extraAccessTokenClaims, + extraTokenClaims, /* * formats @@ -1709,7 +1709,7 @@ function getDefaults() { * description: Functions used before signing a structured Access Token of a * given type, such as a JWT one. Customizing here only changes the structured Access * Token, not your storage, introspection or anything else. For such extras use - * [`extraAccessTokenClaims`](#extraaccesstokenclaims) instead. + * [`extraTokenClaims`](#extratokenclaims) instead. * * example: To push additional claims to a `jwt` format Access Token payload * ```js diff --git a/lib/models/formats/opaque.js b/lib/models/formats/opaque.js index 1d6b282d8..0658e3af5 100644 --- a/lib/models/formats/opaque.js +++ b/lib/models/formats/opaque.js @@ -30,7 +30,7 @@ module.exports = (provider) => ({ }; if (withExtra.has(this.kind)) { - payload.extra = await instance(provider).configuration('extraAccessTokenClaims')(ctxRef.get(this), this); + payload.extra = await instance(provider).configuration('extraTokenClaims')(ctxRef.get(this), this); } return [value, payload]; diff --git a/test/formats/formats.config.js b/test/formats/formats.config.js index 857d370d0..01635b987 100644 --- a/test/formats/formats.config.js +++ b/test/formats/formats.config.js @@ -3,7 +3,7 @@ const merge = require('lodash/merge'); const config = cloneDeep(require('../default.config')); -config.extraAccessTokenClaims = () => ({ foo: 'bar' }); +config.extraTokenClaims = () => ({ foo: 'bar' }); merge(config.features, { registration: { initialAccessToken: true, diff --git a/types/index.d.ts b/types/index.d.ts index 7f9fad133..0db94ab1d 100644 --- a/types/index.d.ts +++ b/types/index.d.ts @@ -967,7 +967,7 @@ export interface Configuration { }; }; - extraAccessTokenClaims?: (ctx: KoaContextWithOIDC, token: AccessToken | ClientCredentials) => CanBePromise ; + extraTokenClaims?: (ctx: KoaContextWithOIDC, token: AccessToken | ClientCredentials) => CanBePromise ; formats?: { AccessToken?: AccessTokenFormatFunction | TokenFormat; diff --git a/types/oidc-provider-tests.ts b/types/oidc-provider-tests.ts index 191b8b7a1..db3ca7c5c 100644 --- a/types/oidc-provider-tests.ts +++ b/types/oidc-provider-tests.ts @@ -147,7 +147,7 @@ const provider = new Provider('https://op.example.com', { }, }, extraParams: ['foo', 'bar', 'baz'], - async extraAccessTokenClaims(ctx, token) { + async extraTokenClaims(ctx, token) { ctx.oidc.issuer.substring(0); token.jti.substring(0);