feature: add jwt bearer support (#105)

strehle · web-flow · commit 8db3d11b4c8d · 2025-04-01T11:28:57.000+02:00
diff --git a/lib/uaa/token_issuer.rb b/lib/uaa/token_issuer.rb
@@ -328,6 +328,15 @@ def refresh_token_grant(refresh_token, scope = nil)
     request_token(grant_type: 'refresh_token', refresh_token: refresh_token, scope: scope)
   end
 
+  # Gets an access token with the user assertion used for authentication
+  # via the jwt bearer authorization grant.
+  # See {http://tools.ietf.org/html/rfc7523#section-2.1}.
+  # @param assertion should be an id_token from a previous IdP token request
+  # @return [TokenInfo]
+  def jwt_bearer_grant(assertion, scope = nil, client_assertion = nil)
+    request_token(grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', assertion: assertion, scope: scope, client_assertion: client_assertion)
+  end
+
 end
 
 end
diff --git a/spec/token_issuer_spec.rb b/spec/token_issuer_spec.rb
@@ -470,6 +470,55 @@ module CF::UAA
     end
   end
 
+  context 'with jwt bearer grant' do
+
+    it 'gets a token with jwt bearer' do
+      subject.set_request_handler do |url, method, body, headers|
+        headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+        headers['accept'].should =~ /application\/json/
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
+        url.should == 'http://test.uaa.target/oauth/token'
+        method.should == :post
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                 scope: 'openid', expires_in: 98765}
+        [200, Util.json(reply), {'content-type' => 'application/json'}]
+      end
+      token = subject.jwt_bearer_grant('assertion', 'openid')
+      token.should be_an_instance_of TokenInfo
+      token.info['access_token'].should == 'test_access_token'
+      token.info['token_type'].should =~ /^bearer$/i
+      token.info['scope'].should == 'openid'
+      token.info['expires_in'].should == 98765
+    end
+
+    context "when client & client secret are nil" do
+      let(:client_id) { nil }
+      let(:client_secret) { nil }
+
+      it 'does not error' do
+        subject.set_request_handler do |url, method, body, headers|
+          headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+          headers['accept'].should =~ /application\/json/
+          headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+          headers['authorization'].should == 'Basic Og=='
+          url.should == 'http://test.uaa.target/oauth/token'
+          method.should == :post
+          reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                   scope: 'openid', expires_in: 98765}
+          [200, Util.json(reply), {'content-type' => 'application/json'}]
+        end
+        token = subject.jwt_bearer_grant('assertion', 'openid')
+        token.should be_an_instance_of TokenInfo
+        token.info['access_token'].should == 'test_access_token'
+        token.info['token_type'].should =~ /^bearer$/i
+        token.info['scope'].should == 'openid'
+        token.info['expires_in'].should == 98765
+      end
+    end
+
+  end
+
 end
 
 end
