Set claims.Issuer to did.URI within jwt.Sign()

decentralized-identity · Mar 19, 2024 · f95bf0e · f95bf0e
1 parent 7abe57a
commit f95bf0e
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/jwt/jwt.go b/jwt/jwt.go
@@ -79,6 +79,12 @@ func Type(t string) SignOpt {
 // The Purpose option can be provided to specify that a key from a given
 // DID Document Verification Relationship should be used (e.g. authentication).
 // defaults to using assertionMethod
+//
+// # Note
+//
+// Claims.Issuer will be set to the value of the provided BearerDID.URI
+// because this is required during [Verify], so if the value is set by the calling
+// code then it will be overridden in this function
 func Sign(claims Claims, did did.BearerDID, opts ...SignOpt) (string, error) {
 	o := signOpts{selector: nil, typ: ""}
 	for _, opt := range opts {
@@ -95,6 +101,9 @@ func Sign(claims Claims, did did.BearerDID, opts ...SignOpt) (string, error) {
 		jwsOpts = append(jwsOpts, jws.VMSelector(o.selector))
 	}
 
+	// `iss` is required to be equal to the DID's URI
+	claims.Issuer = did.URI
+
 	payload, err := json.Marshal(claims)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal jwt claims: %w", err)

diff --git a/jwt/jwt_test.go b/jwt/jwt_test.go
@@ -61,6 +61,24 @@ func TestSign(t *testing.T) {
 	assert.False(t, jwt == "", "expected jwt to not be empty")
 }
 
+func TestSign_IssuerOverridden(t *testing.T) {
+	did, err := didjwk.Create()
+	assert.NoError(t, err)
+
+	claims := jwt.Claims{
+		Issuer: "something-not-equal-to-did.URI", // this will be overridden by the call to jwt.Sign()
+		Misc:   map[string]interface{}{"c_nonce": "abcd123"},
+	}
+
+	signed, err := jwt.Sign(claims, did)
+	assert.NoError(t, err)
+
+	decoded, err := jwt.Decode(signed)
+	assert.NoError(t, err)
+
+	assert.Equal(t, did.URI, decoded.Claims.Issuer)
+}
+
 func TestVerify(t *testing.T) {
 	did, err := didjwk.Create()
 	assert.NoError(t, err)