oidc: move token claims according discussion

2023-03-07 17:52:19 +02:00 · 2023-03-07 17:52:19 +02:00 · de33faa2d8
commit de33faa2d8
parent bb266aac4b
4 changed files with 9 additions and 16 deletions
--- a/pkg/oidc/regression_data/oidc.AccessTokenClaims.json
+++ b/pkg/oidc/regression_data/oidc.AccessTokenClaims.json
@ -8,19 +8,16 @@
 	"jti": "900",
 	"azp": "just@me.com",
 	"nonce": "6969",
-	"c_hash": "hashhash",
 	"acr": "something",
 	"amr": [
 		"some",
 		"methods"
 	],
-	"sid": "666",
 	"scope": [
 		"email",
 		"phone"
 	],
 	"client_id": "777",
-	"at_use_nbr": 22,
 	"exp": 12345,
 	"iat": 12000,
 	"nbf": 12000,
--- a/pkg/oidc/regression_data/oidc.IDTokenClaims.json
+++ b/pkg/oidc/regression_data/oidc.IDTokenClaims.json
@ -14,6 +14,7 @@
 		"some",
 		"methods"
 	],
+	"sid": "666",
 	"client_id": "777",
 	"exp": 12345,
 	"iat": 12000,
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -39,6 +39,7 @@ type TokenClaims struct {
 	Expiration                          Time     `json:"exp,omitempty"`
 	IssuedAt                            Time     `json:"iat,omitempty"`
 	AuthTime                            Time     `json:"auth_time,omitempty"`
+	NotBefore                           Time     `json:"nbf,omitempty"`
 	Nonce                               string   `json:"nonce,omitempty"`
 	AuthenticationContextClassReference string   `json:"acr,omitempty"`
 	AuthenticationMethodsReferences     []string `json:"amr,omitempty"`
@ -68,12 +69,7 @@ func (c *TokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgorithm) {

 type AccessTokenClaims struct {
 	TokenClaims
-	NotBefore            Time     `json:"nbf,omitempty"`
-	CodeHash             string   `json:"c_hash,omitempty"`
-	SessionID            string   `json:"sid,omitempty"`
 	Scopes []string       `json:"scope,omitempty"`
-	AccessTokenUseNumber int      `json:"at_use_nbr,omitempty"`
-
 	Claims map[string]any `json:"-"`
 }

@ -89,9 +85,9 @@ func NewAccessTokenClaims(issuer, subject string, audience []string, expiration
 			Audience:   audience,
 			Expiration: FromTime(expiration),
 			IssuedAt:   FromTime(now),
+			NotBefore:  FromTime(now),
 			JWTID:      jwtid,
 		},
-		NotBefore: FromTime(now),
 	}
 }

@ -114,6 +110,7 @@ type IDTokenClaims struct {
 	NotBefore       Time   `json:"nbf,omitempty"`
 	AccessTokenHash string `json:"at_hash,omitempty"`
 	CodeHash        string `json:"c_hash,omitempty"`
+	SessionID       string `json:"sid,omitempty"` // IDToken - session management spec
 	UserInfoProfile
 	UserInfoEmail
 	UserInfoPhone
--- a/pkg/oidc/token_test.go
+++ b/pkg/oidc/token_test.go
@ -20,6 +20,7 @@ var (
 		AuthorizedParty:                     "just@me.com",
 		Nonce:                               "6969",
 		AuthTime:                            12000,
+		NotBefore:                           12000,
 		AuthenticationContextClassReference: "something",
 		AuthenticationMethodsReferences:     []string{"some", "methods"},
 		ClientID:                            "777",
@ -27,11 +28,7 @@ var (
 	}
 	accessTokenData = &AccessTokenClaims{
 		TokenClaims: tokenClaimsData,
-		NotBefore:            12000,
-		CodeHash:             "hashhash",
-		SessionID:            "666",
 		Scopes:      []string{"email", "phone"},
-		AccessTokenUseNumber: 22,
 		Claims: map[string]interface{}{
 			"foo": "bar",
 		},
@ -41,6 +38,7 @@ var (
 		NotBefore:       12000,
 		AccessTokenHash: "acthashhash",
 		CodeHash:        "hashhash",
+		SessionID:       "666",
 		UserInfoProfile: userInfoData.UserInfoProfile,
 		UserInfoEmail:   userInfoData.UserInfoEmail,
 		UserInfoPhone:   userInfoData.UserInfoPhone,