corbosman / laravel-passport-claims Goto Github PK

If we do

Route::middleware(['client', 'claim:1'])->get('my-protected-route', function () {
    return 'protected by claim with foobar as its value';
});

the value its gonna be a string, so if claim is an int, Are the values ​​not going to be the same? or token changes the int to string internally?

Summary

Laravel Passport 11 requires "lcobucci/jwt": "^4.3|^5.0", but if we haven't specified a version lower than 5.0, the CheckForClaim middleware fails.

Details

The \Lcobucci\JWT\Configuration::forUnsecuredSigner() method is deprecated since version 4.3 of the lcobucci/jwt package. This method is used in the CheckForClaim middleware of this package.

Potential fix options

• Migrate to symmetric signer with dummy configuration like:

Configuration::forSymmetricSigner(
    new \Lcobucci\JWT\Signer\Rsa\Sha256(),
    \Lcobucci\JWT\Signer\Key\InMemory::plainText('empty', 'empty')
)

• Lock to "lcobucci/jwt": "^4.3 in composer.json,

Hi, may I know if is possible if we were to access auth/user data in CustomClaim class?

<?php

namespace App\Claims;

use Auth;
class CustomClaim
{
    public function handle($token, $next)
    {        
        $token->addClaim('my-claim', Auth::user()->email);

        return $next($token);
    }
}

thanks!

I recently did a composer update on my project which resulted in an issue with laravel-passport-claims.
This is the exception I was getting when creating an access token:

Replicating claims as headers is deprecated and will removed from v4.0. Please manually set the header if you need it replicated.

I fixed it by overriding this class: CorBosman\Passport\AccessToken @ convertToJWT with the following changes:

$jwt = (new Builder())
            ->permittedFor($this->getClient()->getIdentifier())
            ->identifiedBy($this->getIdentifier(), false) // second param used to be true
            ->issuedAt(new \DateTimeImmutable('now')) // used to be now()
            ->canOnlyBeUsedAfter(new \DateTimeImmutable('now')) // used to be now()
            ->expiresAt($this->getExpiryDateTime()) // used to be $this->getExpiryDateTime()->getTimestamp()
            ->relatedTo($this->getUserIdentifier())
            ->withClaim('scopes', $this->getScopes());

Thanks

how can i add new claim when receving a access_token in /oauth/token route?
i need to add more user details for my access_token

"token_type": "Bearer",
    "expires_in": 900,
    "access_token": "{token}",
    "refresh_token": "{refresh_token}"

• dfbb450 use builtin method
  

  laravel-passport-claims/src/ServiceProvider.php

  Line 13 in fec9244

  Passport::useAccessTokenEntity(AccessToken::class);

useAccessTokenEntity was added on passport/v11.8.3, laravel/passport@587aa14, so this commit breaks compatibility with versions prior to version 11.8.3

Hi @corbosman ,, thank you for the awesome package,,

i have an issue when trying to add iss claim,,

Lcobucci\JWT\Token\RegisteredClaimGiven Builder#withClaim() is meant to be used for non-registered claims, check the documentation on how to set claim "iss".

Do you have an idea how to resolve this?

Route::middleware(['client', 'claim:my-claim,foobar'])->get('my-protected-route', function () {
    return 'protected by claim with foobar as its value';
});

In the code snippet above, claim middleware is accepting all values which should not be.

@corbosman thanks for the package. How can we access the claims once they've been set?

does this package have a feature that limits the claims based on scopes?
example: i have a scopes like "email", if i login with the scope "email" the package will only add user email claim, but if i have a scope with * it will add all user claims

Hi, first of all thanks for this package!
I'm testing it and I would like to know how can I set and get Claims from Laravel Controllers:

// How to add Claims in login?
public function login(Request $request)
{
    // some code
    $credentials = [
            'email' => $request->email,
            'password' => base64_decode($request->password)
        ];
    Auth::attempt($credentials);

    $user= $request->user();
    $token = $user->createToken('ACCESS_TOKEN')->accessToken;

    // At this point, how can I add custom Claims to my token?
    // I would like to do something like this:
    $token->addClaim('companyId', $request->company_id); // how can I do this through a Controller?
}

// How to get Claims?
public function me(Request $request)
{
    $user = $request->user();
    $token = $user->token();

    // How to get the companyId Claim set on login method?
    $companyId = $token->getClaim('companyId'); // How can I do this?
}

When I execute php artisan claim:generate Claims/CustomClaim I get below error:
There are no commands defined in the "claim" namespace.

After installing Claims and declare them I get the following error when doing a request:
{
"message": "Method CorBosman\Passport\AccessToken::__toString() must not throw an exception, caught ErrorException: Replicating claims as headers is deprecated and will removed from v4.0. Please manually set the header if you need it replicated.",
"exception": "Symfony\Component\ErrorHandler\Error\FatalError",
"file": "D:\webs\VOW\experimento\backend\vendor\league\oauth2-server\src\ResponseTypes\BearerTokenResponse.php",
"line": 0,
"trace": []
}

Hi, your package is exactly what I need. I follow the simple installation guide but nothing happen. No claims add to to token and, just for test purpose, if I write in config an inexistant class name, I receive no error. It's seems that all package is totally ignored.
I'm trying to use in Laravel 7
Maybe I 've missed something ?
Thank you so much!

I get following error when trying to generate new token:

Method CorBosman\Passport\AccessToken::__toString() must not throw an exception, caught ParseError: syntax error, unexpected '=>' (T_DOUBLE_ARROW), expecting ')' {"exception":"[object] (Symfony\\Component\\ErrorHandler\\Error\\FatalError(code: 0): Method CorBosman\\Passport\\AccessToken::__toString() must not throw an exception, caught ParseError: syntax error, unexpected '=>' (T_DOUBLE_ARROW), expecting ')' at /var/www/dev/vendor/league/oauth2-server/src/ResponseTypes/BearerTokenResponse.php:0)
[stacktrace]
#0 {main}
"} 

I use the following versions:

• laravel/framework 8.77.1
• laravel/passport 10.1.4
• lcobucci/jwt 3.4.6
• corbosman/laravel-passport-claims 3.0.1

I still run on PHP 7.3, so might that be the issue?

Seems currently it doesn't support lumen-passport. Would be good if we add support for it.
BTW, this is a really helpful package :)

This package is great thank you.

We have an issue though that when we refresh a token, we want to encode the same claims from the original access token into the new token. I can't find anything anywhere on how that might be possible. At the moment we are relying on passing the original access token with the refresh request and decoding it and applying the same claims to the new token. However passing the original access token with the refresh token doesn't seem to be a standard practice.

Are you aware of any way to do this? Our thinking was to persist the custom claims in the database. Perhaps adding a column to Passport's oauth_access_tokens table and storing them they way it does with scopes. Not ideal to hack around Passport though.

Is it something that this package could support? We'd be happy to contribute a PR

Hi.

I have a case for a multi companies app:

1. One user has many companies:
2. Users login with password grant.
3. Afterwards, users will have to choose which company they will be using for the entire app flows.

Is it possible to add custom claim (chosen company id in this case), into the token generated by the password grant?

Thank you.

Look at this, BearerTokenValidator.php#L126-L131,

// Return the request with additional attributes
return $request
    ->withAttribute('oauth_access_token_id', $claims->get('jti'))
    ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud')))
    ->withAttribute('oauth_user_id', $claims->get('sub'))
    ->withAttribute('oauth_scopes', $claims->get('scopes'));

For example, I has company_id on private claims, and the middleware check works correctly, but I want to use the id to make queries with results only from that company,
It would be useful to have a static property where the token is stored, and a helper, so we can get the claims from anywhere
Example:

///
$query->where('company_id', token_private_claim('company_id'))
///

When refreshing a token, oauth2-server (which Laravel uses in the background) has a mechanism to retrieve old scopes claims from the token so that you can just refresh the token without the need to know what is in the token itself.

It seems this package is only adding custom claims to an existing token (after the refresh has happened). This means that when you refresh a token, you cannot access the old token custom claims this package can add. It seems that you can only add claims to the newly refreshed token. Is that correct?