refactor: generate claims in the same way (ory#595)

narg95 · May 22, 2021 · d341ef9 · d341ef9
1 parent b89e892
commit d341ef9
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 20 deletions.
diff --git a/token/jwt/claims_id_token.go b/token/jwt/claims_id_token.go
@@ -48,47 +48,85 @@ type IDTokenClaims struct {
 // ToMap will transform the headers to a map structure
 func (c *IDTokenClaims) ToMap() map[string]interface{} {
 	var ret = Copy(c.Extra)
-	ret["sub"] = c.Subject
-	ret["iss"] = c.Issuer
-	ret["jti"] = c.JTI
+
+	if c.Subject != "" {
+		ret["sub"] = c.Subject
+	} else {
+		delete(ret, "sub")
+	}
+
+	if c.Issuer != "" {
+		ret["iss"] = c.Issuer
+	} else {
+		delete(ret, "iss")
+	}
+
+	if c.JTI != "" {
+		ret["jti"] = c.JTI
+	} else {
+		ret["jti"] = uuid.New()
+	}
 
 	if len(c.Audience) > 0 {
 		ret["aud"] = c.Audience
 	} else {
 		ret["aud"] = []string{}
 	}
 
+	if !c.IssuedAt.IsZero() {
+		ret["iat"] = float64(c.IssuedAt.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "iat")
+	}
+
+	if !c.ExpiresAt.IsZero() {
+		ret["exp"] = float64(c.ExpiresAt.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "exp")
+	}
+
+	if !c.RequestedAt.IsZero() {
+		ret["rat"] = float64(c.RequestedAt.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "rat")
+	}
+
 	if len(c.Nonce) > 0 {
 		ret["nonce"] = c.Nonce
+	} else {
+		delete(ret, "nonce")
 	}
 
 	if len(c.AccessTokenHash) > 0 {
 		ret["at_hash"] = c.AccessTokenHash
-	}
-
-	if len(c.JTI) == 0 {
-		ret["jti"] = uuid.New()
+	} else {
+		delete(ret, "at_hash")
 	}
 
 	if len(c.CodeHash) > 0 {
 		ret["c_hash"] = c.CodeHash
+	} else {
+		delete(ret, "c_hash")
 	}
 
 	if !c.AuthTime.IsZero() {
-		ret["auth_time"] = c.AuthTime.Unix()
+		ret["auth_time"] = float64(c.AuthTime.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "auth_time")
 	}
 
 	if len(c.AuthenticationContextClassReference) > 0 {
 		ret["acr"] = c.AuthenticationContextClassReference
+	} else {
+		delete(ret, "acr")
 	}
 
 	if len(c.AuthenticationMethodsReference) > 0 {
 		ret["amr"] = c.AuthenticationMethodsReference
+	} else {
+		delete(ret, "amr")
 	}
 
-	ret["iat"] = float64(c.IssuedAt.Unix())
-	ret["exp"] = float64(c.ExpiresAt.Unix())
-	ret["rat"] = float64(c.RequestedAt.Unix())
 	return ret
 
 }

diff --git a/token/jwt/claims_id_token_test.go b/token/jwt/claims_id_token_test.go
@@ -70,7 +70,7 @@ func TestIDTokenClaimsToMap(t *testing.T) {
 		"baz":       idTokenClaims.Extra["baz"],
 		"at_hash":   idTokenClaims.AccessTokenHash,
 		"c_hash":    idTokenClaims.CodeHash,
-		"auth_time": idTokenClaims.AuthTime.Unix(),
+		"auth_time": float64(idTokenClaims.AuthTime.Unix()),
 		"acr":       idTokenClaims.AuthenticationContextClassReference,
 		"amr":       idTokenClaims.AuthenticationMethodsReference,
 	}, idTokenClaims.ToMap())
@@ -88,7 +88,7 @@ func TestIDTokenClaimsToMap(t *testing.T) {
 		"baz":       idTokenClaims.Extra["baz"],
 		"at_hash":   idTokenClaims.AccessTokenHash,
 		"c_hash":    idTokenClaims.CodeHash,
-		"auth_time": idTokenClaims.AuthTime.Unix(),
+		"auth_time": float64(idTokenClaims.AuthTime.Unix()),
 		"acr":       idTokenClaims.AuthenticationContextClassReference,
 		"amr":       idTokenClaims.AuthenticationMethodsReference,
 		"nonce":     idTokenClaims.Nonce,

diff --git a/token/jwt/claims_jwt.go b/token/jwt/claims_jwt.go
@@ -101,24 +101,47 @@ func (c *JWTClaims) WithScopeField(scopeField JWTScopeFieldEnum) JWTClaimsContai
 func (c *JWTClaims) ToMap() map[string]interface{} {
 	var ret = Copy(c.Extra)
 
-	ret["jti"] = c.JTI
-	if c.JTI == "" {
+	if c.Subject != "" {
+		ret["sub"] = c.Subject
+	} else {
+		delete(ret, "sub")
+	}
+
+	if c.Issuer != "" {
+		ret["iss"] = c.Issuer
+	} else {
+		delete(ret, "iss")
+	}
+
+	if c.JTI != "" {
+		ret["jti"] = c.JTI
+	} else {
 		ret["jti"] = uuid.New()
 	}
 
-	ret["sub"] = c.Subject
-	ret["iss"] = c.Issuer
-	ret["aud"] = c.Audience
+	if len(c.Audience) > 0 {
+		ret["aud"] = c.Audience
+	} else {
+		ret["aud"] = []string{}
+	}
 
 	if !c.IssuedAt.IsZero() {
 		ret["iat"] = float64(c.IssuedAt.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "iat")
 	}
 
 	if !c.NotBefore.IsZero() {
 		ret["nbf"] = float64(c.NotBefore.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "nbf")
 	}
 
-	ret["exp"] = float64(c.ExpiresAt.Unix()) // jwt-go does not support int64 as datatype
+	if !c.ExpiresAt.IsZero() {
+		ret["exp"] = float64(c.ExpiresAt.Unix()) // jwt-go does not support int64 as datatype
+	} else {
+		delete(ret, "exp")
+	}
 
 	if c.Scope != nil {
 		// ScopeField default (when value is JWTScopeFieldUnset) is the list for backwards compatibility with old versions of fosite.
@@ -128,6 +151,9 @@ func (c *JWTClaims) ToMap() map[string]interface{} {
 		if c.ScopeField == JWTScopeFieldString || c.ScopeField == JWTScopeFieldBoth {
 			ret["scope"] = strings.Join(c.Scope, " ")
 		}
+	} else {
+		delete(ret, "scp")
+		delete(ret, "scope")
 	}
 
 	return ret

diff --git a/token/jwt/claims_jwt_test.go b/token/jwt/claims_jwt_test.go
@@ -75,7 +75,7 @@ func TestAssert(t *testing.T) {
 		ToMapClaims().Valid())
 	assert.NotNil(t, (&JWTClaims{NotBefore: time.Now().UTC().Add(time.Hour)}).
 		ToMapClaims().Valid())
-	assert.NotNil(t, (&JWTClaims{NotBefore: time.Now().UTC().Add(-time.Hour)}).
+	assert.Nil(t, (&JWTClaims{NotBefore: time.Now().UTC().Add(-time.Hour)}).
 		ToMapClaims().Valid())
 	assert.Nil(t, (&JWTClaims{ExpiresAt: time.Now().UTC().Add(time.Hour),
 		NotBefore: time.Now().UTC().Add(-time.Hour)}).ToMapClaims().Valid())