wikimedia · reedy · Dec 31, 2025 · Jun 3, 2020 · Jun 4, 2020 · Jun 4, 2020
diff --git a/.gitattributes b/.gitattributes
@@ -9,6 +9,7 @@
 /.styleci.yml export-ignore
 /phpstan.neon export-ignore
 /phpunit.xml.dist export-ignore
+/roave-bc-check.yaml export-ignore
 /CHANGELOG.md export-ignore
 /CONTRIBUTING.md export-ignore
 /README.md export-ignore

diff --git a/examples/src/Repositories/AccessTokenRepository.php b/examples/src/Repositories/AccessTokenRepository.php
@@ -46,12 +46,20 @@ public function isAccessTokenRevoked($tokenId): bool
     /**
      * {@inheritdoc}
      */
-    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null): AccessTokenEntityInterface
-    {
+    public function getNewToken(
+        ClientEntityInterface $clientEntity,
+        array $scopes,
+        string|null $userIdentifier = null,
+        array $claims = []
+    ): AccessTokenEntityInterface {
         $accessToken = new AccessTokenEntity();
 
         $accessToken->setClient($clientEntity);
 
+        foreach ($claims as $claim) {
+            $accessToken->addClaim($claim);
+        }
+
         foreach ($scopes as $scope) {
             $accessToken->addScope($scope);
         }

diff --git a/roave-bc-check.yaml b/roave-bc-check.yaml
@@ -0,0 +1,3 @@
+parameters:
+  ignoreErrors:
+    - '#\[BC\] ADDED: Method setClaimRepository\(\) was added to interface #'
diff --git a/src/AuthorizationServer.php b/src/AuthorizationServer.php
@@ -19,6 +19,7 @@
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -66,7 +67,8 @@ public function __construct(
         CryptKeyInterface|string $privateKey,
         #[SensitiveParameter]
         Key|string $encryptionKey,
-        ResponseTypeInterface|null $responseType = null
+        ResponseTypeInterface|null $responseType = null,
+        private ClaimRepositoryInterface|null $claimRepository = null
     ) {
         if ($privateKey instanceof CryptKeyInterface === false) {
             $privateKey = new CryptKey($privateKey);
@@ -96,6 +98,7 @@ public function enableGrantType(GrantTypeInterface $grantType, DateInterval|null
         $grantType->setAccessTokenRepository($this->accessTokenRepository);
         $grantType->setClientRepository($this->clientRepository);
         $grantType->setScopeRepository($this->scopeRepository);
+        $grantType->setClaimRepository($this->claimRepository);
         $grantType->setDefaultScope($this->defaultScope);
         $grantType->setPrivateKey($this->privateKey);
         $grantType->setEmitter($this->getEmitter());

diff --git a/src/Entities/ClaimEntityInterface.php b/src/Entities/ClaimEntityInterface.php
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * @author      Sebastian Kroczek <me@xbug.de>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\Entities;
+
+interface ClaimEntityInterface
+{
+    /**
+     * Get the claim's name.
+     */
+    public function getName(): string;
+
+    /**
+     * Get the claim's value
+     */
+    public function getValue(): mixed;
+}
diff --git a/src/Entities/Traits/AccessTokenTrait.php b/src/Entities/Traits/AccessTokenTrait.php
@@ -18,6 +18,7 @@
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Token;
 use League\OAuth2\Server\CryptKeyInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use RuntimeException;
@@ -64,13 +65,21 @@ private function convertToJWT(): Token
     {
         $this->initJwtConfiguration();
 
-        return $this->jwtConfiguration->builder()
-            ->permittedFor($this->getClient()->getIdentifier())
+        $builder = $this->jwtConfiguration->builder();
+        $builder->permittedFor($this->getClient()->getIdentifier())
             ->identifiedBy($this->getIdentifier())
             ->issuedAt(new DateTimeImmutable())
             ->canOnlyBeUsedAfter(new DateTimeImmutable())
             ->expiresAt($this->getExpiryDateTime())
-            ->relatedTo($this->getSubjectIdentifier())
+            ->relatedTo($this->getSubjectIdentifier());
+
+        foreach ($this->getClaims() as $claim) {
+            /* @phpstan-ignore-next-line */
+            $builder->withClaim($claim->getName(), $claim->getValue());
+        }
+
+        return $builder
+            // Set scope claim late to prevent it from being overridden.
             ->withClaim('scopes', $this->getScopes())
             ->getToken($this->jwtConfiguration->signer(), $this->jwtConfiguration->signingKey());
     }
@@ -97,6 +106,11 @@ abstract public function getUserIdentifier(): string|null;
      */
     abstract public function getScopes(): array;
 
+    /**
+     * @return ClaimEntityInterface[]
+     */
+    abstract public function getClaims(): array;
+
     /**
      * @return non-empty-string
      */

diff --git a/src/Entities/Traits/ClaimEntityTrait.php b/src/Entities/Traits/ClaimEntityTrait.php
@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * @author      Sebastian Kroczek <me@xbug.de>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ClaimEntityTrait
+{
+    protected string $name;
+
+    protected mixed $value;
+
+    /**
+     * Returns the name of the claim
+     */
+    public function getName(): string
+    {
+        return $this->name;
+    }
+
+    /**
+     * Returns the claims value
+     */
+    public function getValue(): mixed
+    {
+        return $this->value;
+    }
+}
diff --git a/src/Entities/Traits/TokenEntityTrait.php b/src/Entities/Traits/TokenEntityTrait.php
@@ -13,6 +13,7 @@
 namespace League\OAuth2\Server\Entities\Traits;
 
 use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
@@ -27,6 +28,11 @@ trait TokenEntityTrait
 
     protected DateTimeImmutable $expiryDateTime;
 
+    /**
+     * @var ClaimEntityInterface[]
+     */
+    protected array $claims = [];
+
     /**
      * @var non-empty-string|null
      */
@@ -52,6 +58,24 @@ public function getScopes(): array
         return array_values($this->scopes);
     }
 
+    /**
+     * Associate a claim with the token.
+     */
+    public function addClaim(ClaimEntityInterface $claim): void
+    {
+        $this->claims[] = $claim;
+    }
+
+    /**
+     * Return an array of claims associated with the token.
+     *
+     * @return ClaimEntityInterface[]
+     */
+    public function getClaims(): array
+    {
+        return $this->claims;
+    }
+
     /**
      * Get the token's expiry date time.
      */

diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php
@@ -23,6 +23,7 @@
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\ClaimEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
@@ -32,6 +33,7 @@
 use League\OAuth2\Server\RedirectUriValidators\RedirectUriValidator;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
@@ -50,6 +52,7 @@
 use function bin2hex;
 use function explode;
 use function is_string;
+use function method_exists;
 use function random_bytes;
 use function substr;
 use function trim;
@@ -74,6 +77,8 @@ abstract class AbstractGrant implements GrantTypeInterface
 
     protected AuthCodeRepositoryInterface $authCodeRepository;
 
+    protected ?ClaimRepositoryInterface $claimRepository;
+
     protected RefreshTokenRepositoryInterface $refreshTokenRepository;
 
     protected UserRepositoryInterface $userRepository;
@@ -106,6 +111,11 @@ public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refre
         $this->refreshTokenRepository = $refreshTokenRepository;
     }
 
+    public function setClaimRepository(?ClaimRepositoryInterface $claimRepository): void
+    {
+        $this->claimRepository = $claimRepository;
+    }
+
     public function setAuthCodeRepository(AuthCodeRepositoryInterface $authCodeRepository): void
     {
         $this->authCodeRepository = $authCodeRepository;
@@ -410,6 +420,7 @@ protected function getServerParameter(string $parameter, ServerRequestInterface
      * Issue an access token.
      *
      * @param ScopeEntityInterface[] $scopes
+     * @param ClaimEntityInterface[] $claims
      *
      * @throws OAuthServerException
      * @throws UniqueTokenIdentifierConstraintViolationException
@@ -418,14 +429,21 @@ protected function issueAccessToken(
         DateInterval $accessTokenTTL,
         ClientEntityInterface $client,
         string|null $userIdentifier,
-        array $scopes = []
+        array $scopes = [],
+        array $claims = []
     ): AccessTokenEntityInterface {
         $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
         $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
         $accessToken->setExpiryDateTime((new DateTimeImmutable())->add($accessTokenTTL));
         $accessToken->setPrivateKey($this->privateKey);
 
+        if (method_exists($accessToken, 'addClaim')) {
+            foreach ($claims as $claim) {
+                $accessToken->addClaim($claim);
+            }
+        }
+
         while ($maxGenerationAttempts-- > 0) {
             $accessToken->setIdentifier($this->generateUniqueIdentifier());
             try {

diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
@@ -137,8 +137,18 @@ public function respondToAccessTokenRequest(
             $this->validateCodeChallenge($authCodePayload, $codeVerifier);
         }
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims(
+                $this->getIdentifier(),
+                $client,
+                $authCodePayload->user_id
+            );
+        }
+
         // Issue and persist new access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes, $privateClaims);
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);
 

diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php
@@ -47,8 +47,14 @@ public function respondToAccessTokenRequest(
         // Finalize the requested scopes
         $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims($this->getIdentifier(), $client);
+        }
+
         // Issue and persist access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes, $privateClaims);
 
         // Send event to emitter
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));

diff --git a/src/Grant/GrantTypeInterface.php b/src/Grant/GrantTypeInterface.php
@@ -19,6 +19,7 @@
 use League\OAuth2\Server\CryptKeyInterface;
 use League\OAuth2\Server\EventEmitting\EmitterAwareInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClaimRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
@@ -115,6 +116,11 @@ public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessT
      */
     public function setScopeRepository(ScopeRepositoryInterface $scopeRepository): void;
 
+    /**
+     * Set the claim repository.
+     */
+    public function setClaimRepository(?ClaimRepositoryInterface $claimRepository): void;
+
     /**
      * Set the default scope.
      */

diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php
@@ -165,11 +165,22 @@ public function completeAuthorizationRequest(AuthorizationRequestInterface $auth
                 $authorizationRequest->getUser()->getIdentifier()
             );
 
+            $privateClaims = [];
+
+            if ($this->claimRepository !== null) {
+                $privateClaims = $this->claimRepository->getClaims(
+                    $this->getIdentifier(),
+                    $authorizationRequest->getClient(),
+                    $authorizationRequest->getUser()->getIdentifier()
+                );
+            }
+
             $accessToken = $this->issueAccessToken(
                 $this->accessTokenTTL,
                 $authorizationRequest->getClient(),
                 $authorizationRequest->getUser()->getIdentifier(),
-                $finalizedScopes
+                $finalizedScopes,
+                $privateClaims
             );
 
             // TODO: next major release: this method needs `ServerRequestInterface` as an argument

diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php
@@ -61,8 +61,20 @@ public function respondToAccessTokenRequest(
             $user->getIdentifier()
         );
 
+        $privateClaims = [];
+
+        if ($this->claimRepository !== null) {
+            $privateClaims = $this->claimRepository->getClaims($this->getIdentifier(), $client, $user->getIdentifier());
+        }
+
         // Issue and persist new access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
+        $accessToken = $this->issueAccessToken(
+            $accessTokenTTL,
+            $client,
+            $user->getIdentifier(),
+            $finalizedScopes,
+            $privateClaims
+        );
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);