ory · phooijenga · Feb 25, 2025
@@ -7,6 +7,8 @@ type AccessRequest struct {
 	GrantTypes       Arguments `json:"grantTypes" gorethink:"grantTypes"`
 	HandledGrantType Arguments `json:"handledGrantType" gorethink:"handledGrantType"`
 
+	JWTClaims map[string]interface{} `json:"jwt_claims" gorethink:"jwtClaims"`
+
 	Request
 }
 
@@ -23,3 +25,11 @@ func NewAccessRequest(session Session) *AccessRequest {
 func (a *AccessRequest) GetGrantTypes() Arguments {
 	return a.GrantTypes
 }
+
+func (a *AccessRequest) GetJWTClaims() map[string]interface{} {
+	return a.JWTClaims
+}
+
+func (a *AccessRequest) SetJWTClaims(claims map[string]interface{}) {
+	a.JWTClaims = claims
+}
@@ -187,6 +187,10 @@ func (f *Fosite) DefaultClientAuthenticationStrategy(ctx context.Context, r *htt
 				strings.Join(f.Config.GetTokenURLs(ctx), "' or '")))
 		}
 
+		if accessRequest, ok := ctx.Value(AccessRequestContextKey).(*AccessRequest); ok {
+			accessRequest.SetJWTClaims(claims)
+		}
+
 		return client, nil
 	} else if len(assertionType) > 0 {
 		return nil, errorsx.WithStack(ErrInvalidRequest.WithHintf("Unknown client_assertion_type '%s'.", assertionType))

@@ -70,7 +70,8 @@ func (c *Handler) HandleTokenEndpointRequest(ctx context.Context, request fosite
 	}
 
 	claims := jwt.Claims{}
-	if err := token.Claims(key, &claims); err != nil {
+	rawClaims := make(map[string]interface{})
+	if err := token.Claims(key, &claims, &rawClaims); err != nil {
 		return errorsx.WithStack(fosite.ErrInvalidGrant.
 			WithHint("Unable to verify the integrity of the 'assertion' value.").
 			WithWrap(err).WithDebug(err.Error()),
@@ -115,6 +116,8 @@ func (c *Handler) HandleTokenEndpointRequest(ctx context.Context, request fosite
 	session.SetExpiresAt(fosite.AccessToken, time.Now().UTC().Add(atLifespan).Round(time.Second))
 	session.SetSubject(claims.Subject)
 
+	request.SetJWTClaims(rawClaims)
+
 	return nil
 }
 

@@ -250,6 +250,12 @@ type AccessRequester interface {
 	// GetGrantType returns the requests grant type.
 	GetGrantTypes() (grantTypes Arguments)
 
+	// GetJWTClaims returns the request's decoded JWT claims (RFC 7523).
+	GetJWTClaims() (claims map[string]interface{})
+
+	// SetJWTClaims stores decoded JWT claims for the request (RFC 7523).
+	SetJWTClaims(claims map[string]interface{})
+
 	Requester
 }