Commit 136c4df

@@ -105,6 +105,15 @@ module Authn
     end
 
     def create_access_token
+      ::Authz::JWT.new(
+        sub: to_global_id.to_s,
+        auth_time: Time.now.to_i,
+        email: self[:email],
+        username: self[:username],
+      )
+    end
+
+    def create_id_token
       ::Authz::JWT.new(sub: to_global_id.to_s)
     end
 
@@ -338,7 +347,9 @@ module Authz
     def initialize(claims)
       now = Time.now.to_i
       @claims = {
+        iss: "#{$scheme}://#{$host}",
         iat: now,
+        aud: "",
         nbf: now,
         jti: SecureRandom.uuid,
         exp: now + 3600,
@@ -447,17 +458,18 @@ module Authz
         raise NotImplementedError
       end
 
-      def create!(user)
-        new(user).tap do |grant|
+      def create!(user, params = {})
+        new(user, params).tap do |grant|
           all << grant
         end
       end
     end
 
-    attr_reader :code, :user
+    attr_reader :code, :user, :params
 
-    def initialize(user)
+    def initialize(user, params = {})
       @user = user
+      @params = params
       @code = SecureRandom.uuid
       @exchanged_at = nil
     end
@@ -485,7 +497,11 @@ module Authz
         issued_token_type: "urn:ietf:params:oauth:token-type:access_token",
         expires_in: 3600,
         refresh_token: SecureRandom.hex(32)
-      }
+      }.tap do |body|
+        if params['scope'].include?("openid")
+          body[:id_token] = user.create_id_token.to_jwt
+        end
+      end
     end
   end
 
@@ -570,7 +586,7 @@ module Authz
 
     def post_authorize(request)
       params = request.params.slice('client_id', 'redirect_uri', 'response_type', 'response_mode', 'state', 'code_challenge_method', 'code_challenge', 'scope')
-      grant = AuthorizationGrant.create!(current_user(request))
+      grant = AuthorizationGrant.create!(current_user(request), params)
       case params['response_type']
       when 'code'
         case params['response_mode']