From cc1b28f81f6481bf72bbcf420a5cb9d70b79feb4 Mon Sep 17 00:00:00 2001
From: Joakim Olsson <joakim@unbound.se>
Date: Mon, 25 Apr 2022 21:26:01 +0200
Subject: [PATCH] chore: change admin-handling

---
 app.js | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/app.js b/app.js
index f09ab67..1768e2c 100644
--- a/app.js
+++ b/app.js
@@ -14,7 +14,7 @@ const cert = require('./cert')
 let issuer = 'localhost:3333'
 let jwksOrigin = `https://${issuer}/`
 const audience = process.env.AUDIENCE || 'https://generic-audience'
-const adminRole = process.env.ADMIN_ROLE || 'admin'
+const adminCustomClaim = process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
 
 const debug = Debug('app')
 
@@ -54,7 +54,12 @@ app.post('/oauth/token', (req, res) => {
     keyid: thumbprint
   })
 
-  let idToken = jwt.sign(Buffer.from(JSON.stringify({
+  const token = session.customClaims.reduce((acc, claim) => {
+    return {
+      ...acc,
+      ...claim
+    }
+  }, {
     iss: jwksOrigin,
     aud: session.clientId,
     nonce: session.nonce,
@@ -63,9 +68,9 @@ app.post('/oauth/token', (req, res) => {
     exp: date + 7200,
     azp: session.clientId,
     name: 'Example Person',
-    picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg',
-    'https://unbound.se/roles': session.roles
-  })), privateKey, {
+    picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
+  })
+  let idToken = jwt.sign(Buffer.from(JSON.stringify(token)), privateKey, {
     algorithm: 'RS256',
     keyid: thumbprint
   })
@@ -104,10 +109,8 @@ app.post('/code', (req, res) => {
   const code = req.body.codeChallenge
   challenges[req.body.codeChallenge] = code
   const state = req.body.state
-  let roles = []
-  if (req.body.admin === 'true') {
-    roles = [adminRole]
-  }
+  const claim = {}
+  claim[adminCustomClaim] = req.body.admin === 'true'
   sessions[code] = {
     email: req.body.email,
     password: req.body.password,
@@ -115,7 +118,7 @@ app.post('/code', (req, res) => {
     nonce: req.body.nonce,
     clientId: req.body.clientId,
     codeChallenge: req.body.codeChallenge,
-    roles: roles
+    customClaims: [claim]
   }
   res.redirect(`${req.body.redirect}?domain=${issuer}&code=${code}&state=${encodeURIComponent(state)}`)
 })