Skip to content

Commit

Permalink
fix(core): issue organization_id grant for client credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
gao-sun committed Jul 3, 2024
1 parent 06ef199 commit ba7079f
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 1 deletion.
4 changes: 3 additions & 1 deletion packages/core/src/oidc/extra-token-claims.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ export const getExtraTokenClaimsForOrganizationApiResource = async (
return;
}

const isAccessToken = token instanceof ctx.oidc.provider.AccessToken;
const isAccessToken =
token instanceof ctx.oidc.provider.AccessToken ||
token instanceof ctx.oidc.provider.ClientCredentials;

Check warning on line 39 in packages/core/src/oidc/extra-token-claims.ts

View check run for this annotation

Codecov / codecov/patch

packages/core/src/oidc/extra-token-claims.ts#L37-L39

Added lines #L37 - L39 were not covered by tests

// Only handle access tokens
if (!isAccessToken) {
Expand Down
3 changes: 3 additions & 0 deletions packages/core/src/oidc/grants/client-credentials.ts
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,9 @@ export const buildHandler: (
token.scope =
scopes.filter(Set.prototype.has.bind(new Set(resourceServer.scope.split(' ')))).join(' ') ||
undefined;
if (organizationId) {
token.extra = { ...token.extra, organization_id: organizationId };
}

Check warning on line 131 in packages/core/src/oidc/grants/client-credentials.ts

View check run for this annotation

Codecov / codecov/patch

packages/core/src/oidc/grants/client-credentials.ts#L129-L131

Added lines #L129 - L131 were not covered by tests
}

// Issue organization token only if resource server is not present.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,7 @@ describe('client credentials grant', () => {
expect(returnedScope).toBe(`${scope1.name} ${scope2.name}`);

const verified = await jwtVerify(accessToken, jwkSet, { audience: resource.indicator });
expect(verified.payload.organization_id).toBe(organization.id);
expect(verified.payload.scope).toBe(`${scope1.name} ${scope2.name}`);
});

Expand Down Expand Up @@ -271,6 +272,7 @@ describe('client credentials grant', () => {
expect(returnedScope1).toBe(scope1.name);

const verified1 = await jwtVerify(accessToken1, jwkSet, { audience: resource.indicator });
expect(verified1.payload.organization_id).toBe(organization.id);
expect(verified1.payload.scope).toBe(scope1.name);

const { access_token: accessToken2, scope: returnedScope2 } = await post({
Expand All @@ -281,6 +283,7 @@ describe('client credentials grant', () => {
expect(returnedScope2).toBe(undefined);

const verified2 = await jwtVerify(accessToken2, jwkSet, { audience: resource.indicator });
expect(verified1.payload.organization_id).toBe(organization.id);
expect(verified2.payload.scope).toBe(undefined);
});
});
Expand Down

0 comments on commit ba7079f

Please sign in to comment.