From 1f73783e860edf330e25213fb8d84dd2cb5e1d76 Mon Sep 17 00:00:00 2001
From: Timo Glastra <timo@animo.id>
Date: Tue, 15 Oct 2024 12:12:21 +0200
Subject: [PATCH] feat: allow additional claims in access token

Signed-off-by: Timo Glastra <timo@animo.id>
---
 packages/issuer/lib/tokens/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/issuer/lib/tokens/index.ts b/packages/issuer/lib/tokens/index.ts
index c6733336..3e844f64 100644
--- a/packages/issuer/lib/tokens/index.ts
+++ b/packages/issuer/lib/tokens/index.ts
@@ -41,12 +41,13 @@ export interface ITokenEndpointOpts {
 
 export const generateAccessToken = async (
   opts: Required<Pick<ITokenEndpointOpts, 'accessTokenSignerCallback' | 'tokenExpiresIn' | 'accessTokenIssuer'>> & {
+    additionalClaims?: Record<string, unknown>
     preAuthorizedCode?: string
     alg?: Alg
     dPoPJwk?: JWK
   },
 ): Promise<string> => {
-  const { dPoPJwk, accessTokenIssuer, alg, accessTokenSignerCallback, tokenExpiresIn, preAuthorizedCode } = opts
+  const { dPoPJwk, accessTokenIssuer, alg, accessTokenSignerCallback, tokenExpiresIn, preAuthorizedCode, additionalClaims } = opts
   // JWT uses seconds for iat and exp
   const iat = new Date().getTime() / 1000
   const exp = iat + tokenExpiresIn
@@ -63,6 +64,7 @@ export const generateAccessToken = async (
       // evaluation process is performed for bearer tokens to prevent downgraded usage of a DPoP-bound access token.
       // Specifically, such a protected resource MUST reject a DPoP-bound access token received as a bearer token per [RFC6750].
       token_type: dPoPJwk ? 'DPoP' : 'Bearer',
+      ...additionalClaims,
     },
   }
   return await accessTokenSignerCallback(jwt)