devfront ID Token Claims 백엔드 반영

2026-04-29 13:45:23 +09:00
parent e484d8c100
commit 0844befb35
5 changed files with 492 additions and 8 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -1158,6 +1158,60 @@ func withOidcSessionMetadata(claims map[string]any, sessionID string) map[string
 	return claims
 }

+func composeOIDCSessionClaims(client domain.HydraClient, traits map[string]any, scopes []string, tenantID string, sessionID string) map[string]any {
+	claims := buildOidcClaimsFromTraits(traits, scopes, tenantID)
+	claims = applyConfiguredIDTokenClaims(claims, client.Metadata)
+	return withOidcSessionMetadata(claims, sessionID)
+}
+
+func applyConfiguredIDTokenClaims(baseClaims map[string]any, metadata map[string]interface{}) map[string]any {
+	if baseClaims == nil {
+		baseClaims = map[string]any{}
+	}
+	if metadata == nil {
+		return baseClaims
+	}
+
+	rawClaims, ok := metadata[domain.MetadataIDTokenClaims]
+	if !ok || rawClaims == nil {
+		return baseClaims
+	}
+
+	normalizedClaims, err := normalizeIDTokenClaims(rawClaims)
+	if err != nil {
+		slog.Warn("failed to normalize configured id token claims", "error", err)
+		return baseClaims
+	}
+
+	rpClaims, _ := baseClaims["rp_claims"].(map[string]any)
+	if rpClaims == nil {
+		rpClaims = map[string]any{}
+	}
+
+	for _, claim := range normalizedClaims {
+		value, err := parseConfiguredClaimValue(claim.Value, claim.ValueType)
+		if err != nil {
+			slog.Warn("failed to parse configured id token claim", "namespace", claim.Namespace, "key", claim.Key, "error", err)
+			continue
+		}
+
+		if claim.Namespace == "rp_claims" {
+			rpClaims[claim.Key] = value
+			continue
+		}
+
+		if _, exists := baseClaims[claim.Key]; exists {
+			continue
+		}
+		baseClaims[claim.Key] = value
+	}
+
+	if len(rpClaims) > 0 {
+		baseClaims["rp_claims"] = rpClaims
+	}
+	return baseClaims
+}
+
 func (h *AuthHandler) withRPProfileClaims(ctx context.Context, claims map[string]any, client domain.HydraClient, subject string) map[string]any {
 	if claims == nil {
 		claims = map[string]any{}
@@ -5362,8 +5416,11 @@ func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
 							tenantID = tid
 						}
 					}
-					sessionClaims := withOidcSessionMetadata(
-						buildOidcClaimsFromTraits(identity.Traits, consentRequest.RequestedScope, tenantID),
+					sessionClaims := composeOIDCSessionClaims(
+						consentRequest.Client,
+						identity.Traits,
+						consentRequest.RequestedScope,
+						tenantID,
 						currentSessionID,
 					)
 					sessionClaims = h.withRPProfileClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)
@@ -5392,8 +5449,11 @@ func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
 				}
 			}

-			sessionClaims := withOidcSessionMetadata(
-				buildOidcClaimsFromTraits(identity.Traits, consentRequest.RequestedScope, tenantID),
+			sessionClaims := composeOIDCSessionClaims(
+				consentRequest.Client,
+				identity.Traits,
+				consentRequest.RequestedScope,
+				tenantID,
 				currentSessionID,
 			)
 			sessionClaims = h.withRPProfileClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)
@@ -5575,8 +5635,11 @@ func (h *AuthHandler) AcceptConsentRequest(c *fiber.Ctx) error {
 		}
 	}

-	sessionClaims := withOidcSessionMetadata(
-		buildOidcClaimsFromTraits(identity.Traits, consentRequest.RequestedScope, tenantID),
+	sessionClaims := composeOIDCSessionClaims(
+		consentRequest.Client,
+		identity.Traits,
+		consentRequest.RequestedScope,
+		tenantID,
 		currentSessionID,
 	)
 	sessionClaims = h.withRPProfileClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)