[PLATFORM-1248]: Look into adding a "sub" field to the access token (#72

)

* Add 'sub' and other RFC claims fields

* Format

src/config.rs

@@ -15,6 +15,9 @@ pub struct Config {
     #[serde(default = "defaults::issuer")]
     issuer: String,
 
+    #[serde(default = "defaults::subject")]
+    subject: String,
+
     #[serde(default)]
     user_info: UserInfo,
 
@@ -57,6 +60,7 @@ impl Config {
                 log_error(error);
                 Self {
                     issuer: defaults::issuer(),
+                    subject: defaults::subject(),
                     user_info: Default::default(),
                     audience: vec![],
                     user: vec![],

src/controller.rs

@@ -189,6 +189,7 @@ fn new_token_response(
         audience.to_string(),
         permissions,
         app_data.config().issuer().to_string(),
+        app_data.config().subject().to_string(),
         grant_type,
         custom_claims,
     );

src/model/claims.rs

@@ -1,15 +1,20 @@
-use serde::{ser::SerializeMap, Deserialize, Serialize, Serializer};
 use std::fmt::{Display, Formatter};
 
+use serde::{ser::SerializeMap, Deserialize, Serialize, Serializer};
+use uuid::Uuid;
+
 use crate::config::{CustomField, CustomFieldValue};
 
 #[derive(Debug, Deserialize)]
 pub struct Claims {
+    iss: String,
+    sub: String,
     aud: String,
-    iat: Option<i64>,
     exp: Option<i64>,
+    nbf: Option<i64>,
+    iat: Option<i64>,
+    jti: String,
     scope: String,
-    iss: String,
     gty: GrantType,
     permissions: Vec<String>,
     // skip deserializing since deserialization from a jwt wouldn't match this struct
@@ -23,15 +28,19 @@ impl Claims {
         aud: String,
         permissions: Vec<String>,
         iss: String,
+        sub: String,
         gty: GrantType,
         custom_claims: Vec<CustomField>,
     ) -> Self {
         Self {
+            iss,
+            sub,
             aud,
-            iat: Some(chrono::Utc::now().timestamp()),
             exp: Some(chrono::Utc::now().timestamp() + 60000),
+            nbf: Some(chrono::Utc::now().timestamp()),
+            iat: Some(chrono::Utc::now().timestamp()),
+            jti: Uuid::new_v4().to_string(),
             scope: permissions.join(" "),
-            iss,
             gty,
             permissions,
             custom_claims,
@@ -50,6 +59,10 @@ impl Claims {
         &self.iss
     }
 
+    pub fn subject(&self) -> &str {
+        &self.sub
+    }
+
     pub fn grant_type(&self) -> &GrantType {
         &self.gty
     }
@@ -67,11 +80,14 @@ impl Serialize for Claims {
     {
         let mut map = serializer.serialize_map(None)?;
 
+        map.serialize_entry("iss", &self.iss)?;
+        map.serialize_entry("sub", &self.sub)?;
         map.serialize_entry("aud", &self.aud)?;
-        map.serialize_entry("iat", &self.iat)?;
         map.serialize_entry("exp", &self.exp)?;
+        map.serialize_entry("nbf", &self.nbf)?;
+        map.serialize_entry("iat", &self.iat)?;
+        map.serialize_entry("jti", &self.jti)?;
         map.serialize_entry("scope", &self.scope)?;
-        map.serialize_entry("iss", &self.iss)?;
         map.serialize_entry("gty", &self.gty)?;
         map.serialize_entry("permissions", &self.permissions)?;
 

src/model/defaults.rs

@@ -1,7 +1,9 @@
 use chrono::{DateTime, Utc};
 
 const ISSUER: &str = "https://prima.localauth0.com/";
-const USER_INFO_SUBJECT: &str = "google-apps|[email protected]";
+
+const SUBJECT: &str = "google-apps|[email protected]";
+const USER_INFO_SUBJECT: &str = SUBJECT;
 const USER_INFO_NAME: &str = "Local";
 const USER_INFO_NICKNAME: &str = "locie.auth0";
 const USER_INFO_GIVEN_NAME: &str = "Locie";
@@ -21,6 +23,9 @@ pub fn issuer() -> String {
     ISSUER.to_string()
 }
 
+pub fn subject() -> String {
+    SUBJECT.to_string()
+}
 pub fn user_info_subject() -> String {
     USER_INFO_SUBJECT.to_string()
 }

src/model/jwks.rs

@@ -176,6 +176,7 @@ mod tests {
         let audience: &str = "audience";
         let permission: &str = "permission";
         let issuer: &str = "issuer";
+        let subject: &str = "subject";
         let gty: GrantType = GrantType::ClientCredentials;
 
         let jwks: Jwks = jwk_store.get().unwrap();
@@ -185,6 +186,7 @@ mod tests {
             audience.to_string(),
             vec![permission.to_string()],
             issuer.to_string(),
+            subject.to_string(),
             gty.clone(),
             vec![],
         );
@@ -206,6 +208,7 @@ mod tests {
         let audience: &str = "audience";
         let permission: &str = "permission";
         let issuer: &str = "issuer";
+        let subject: &str = "subject";
         let gty: GrantType = GrantType::ClientCredentials;
 
         let jwks: Jwks = jwk_store.get().unwrap();
@@ -219,6 +222,7 @@ mod tests {
             audience.to_string(),
             vec![permission.to_string()],
             issuer.to_string(),
+            subject.to_string(),
             gty,
             custom_claims,
         );
@@ -237,6 +241,7 @@ mod tests {
         let audience: &str = "audience";
         let permission: &str = "permission";
         let issuer: &str = "issuer";
+        let subject: &str = "subject";
         let gty: GrantType = GrantType::ClientCredentials;
 
         let jwks: Jwks = jwk_store.get().unwrap();
@@ -252,6 +257,7 @@ mod tests {
             audience.to_string(),
             vec![permission.to_string()],
             issuer.to_string(),
+            subject.to_string(),
             gty,
             custom_claims,
         );