fix: Use input WEBID claim value for output sub value in access token

joachimvh · joachimvh · commit 38324543820c · 2026-06-16T10:34:11.000+02:00
diff --git a/documentation/getting-started.md b/documentation/getting-started.md
@@ -380,6 +380,10 @@ Based on the stored policies, it then determines if the provided claims are suff
 How these policies work will be covered later on.
 If successful, the server will return a 200 response with a JSON body containing, among others,
 an `access_token` field containing the access token, and a `token_type` field describing the token type.
+
+The generated access token will also contain a `sub` claim.
+This value indicates the identity from the original identification input that was provided during token exchange.
+
 If the claims are insufficient, a 403 response will be given instead.
 
 #### Partial permission tokens
diff --git a/packages/uma/src/credentials/Claims.ts b/packages/uma/src/credentials/Claims.ts
@@ -1,6 +1,20 @@
 
 export const WEBID = 'urn:solidlab:uma:claims:types:webid';
 export const CLIENTID = 'urn:solidlab:uma:claims:types:clientid';
+export const ORIGINAL = 'urn:solidlab:uma:claims:types:original';
 export const PURPOSE = 'http://www.w3.org/ns/odrl/2/purpose';
 export const LEGAL_BASIS = 'https://w3id.org/oac#LegalBasis';
 export const ACCESS = 'urn:solidlab:uma:claims:types:access';
+
+/**
+ * Resolves a claim value by preferring an ORIGINAL claim-set entry when present.
+ */
+export function getOriginalClaimValue(claims: NodeJS.Dict<unknown>, claimType: string): unknown {
+  const original = claims[ORIGINAL];
+  if (typeof original === 'object' && original !== null) {
+	const originalClaims = original as Record<string, unknown>;
+	return originalClaims[claimType];
+  }
+
+  return claims[claimType];
+}
diff --git a/packages/uma/src/credentials/verify/IriVerifier.ts b/packages/uma/src/credentials/verify/IriVerifier.ts
@@ -1,6 +1,6 @@
 import { joinUrl } from '@solid/community-server';
 import { isIri } from '../../util/ConvertUtil';
-import { CLIENTID, WEBID } from '../Claims';
+import { CLIENTID, ORIGINAL, WEBID } from '../Claims';
 import { ClaimSet } from '../ClaimSet';
 import { Credential } from '../Credential';
 import { Verifier } from './Verifier';
@@ -16,17 +16,20 @@ export class IriVerifier implements Verifier {
 
   public async verify(credential: Credential): Promise<ClaimSet> {
     const claims = await this.verifier.verify(credential);
-    return {
-      ...claims,
-      ...typeof claims[WEBID] === 'string' ? { [WEBID]: this.toIri(claims[WEBID]) } : {},
-      ...typeof claims[CLIENTID] === 'string' ? { [CLIENTID]: this.toIri(claims[CLIENTID]) } : {},
-    };
-  }
+    const result = { ...claims };
+
+    const original: Record<string, string> = {};
+    for (const claim of [WEBID, CLIENTID]) {
+      if (typeof claims[claim] === 'string' && !isIri(claims[claim])) {
+        result[claim] = joinUrl(this.baseUrl, encodeURIComponent(claims[claim]));
+        original[claim] = claims[claim];
+      }
+    }
 
-  protected toIri(value: string): string {
-    if (isIri(value)) {
-      return value;
+    if (Object.keys(original).length > 0) {
+      result[ORIGINAL] = original;
     }
-    return joinUrl(this.baseUrl, encodeURIComponent(value));
+
+    return result;
   }
 }
diff --git a/packages/uma/src/dialog/BaseNegotiator.ts b/packages/uma/src/dialog/BaseNegotiator.ts
@@ -1,7 +1,7 @@
 import { BadRequestHttpError, ForbiddenHttpError, HttpErrorClass, KeyValueStorage } from '@solid/community-server';
 import { getLoggerFor } from 'global-logger-factory';
 import { randomUUID } from 'node:crypto';
-import { WEBID } from '../credentials/Claims';
+import { getOriginalClaimValue, WEBID } from '../credentials/Claims';
 import { Verifier } from '../credentials/verify/Verifier';
 import { NeedInfoError, RequiredClaim } from '../errors/NeedInfoError';
 import { getOperationLogger } from '../logging/OperationLogger';
@@ -58,11 +58,12 @@ export class BaseNegotiator implements Negotiator {
     // ... on success, create Access Token
     if (resolved.success) {
       const partial = this.isPartialResult(updatedTicket.permissions, resolved.value);
+      const tokenSub = getOriginalClaimValue(updatedTicket.provided, WEBID);
 
       // Retrieve / create instantiated policy
       const { token, tokenType } = await this.tokenFactory.serialize({
         permissions: resolved.value,
-        ...(typeof updatedTicket.provided[WEBID] === 'string' ? { sub: updatedTicket.provided[WEBID] } : {}),
+        ...(typeof tokenSub === 'string' ? { sub: tokenSub } : {}),
       });
       this.logger.debug(`Minted token ${JSON.stringify(token)}`);
 
diff --git a/packages/uma/src/dialog/ContractNegotiator.ts b/packages/uma/src/dialog/ContractNegotiator.ts
@@ -1,6 +1,6 @@
 import { createErrorMessage, KeyValueStorage } from '@solid/community-server';
 import { getLoggerFor } from 'global-logger-factory';
-import { WEBID } from '../credentials/Claims';
+import { getOriginalClaimValue, WEBID } from '../credentials/Claims';
 import { Verifier } from '../credentials/verify/Verifier';
 import { RequiredClaim } from '../errors/NeedInfoError';
 import { ContractManager } from '../policies/contracts/ContractManager';
@@ -149,11 +149,13 @@ export class ContractNegotiator extends BaseNegotiator {
     let permissions: Permission[] = Object.values(permissionMap);
     this.logger.debug(`granting permissions: ${JSON.stringify(permissions)}`);
 
+    const tokenSub = getOriginalClaimValue(ticket.provided, WEBID);
+
     // Create response
     const tokenContents: AccessToken = {
       permissions,
       contract,
-      ...(typeof ticket.provided[WEBID] === 'string' ? { sub: ticket.provided[WEBID] } : {}),
+      ...(typeof tokenSub === 'string' ? { sub: tokenSub } : {}),
     };
 
     this.logger.debug(`resolved result ${JSON.stringify(contract)}`);
diff --git a/packages/uma/test/unit/credentials/Claims.test.ts b/packages/uma/test/unit/credentials/Claims.test.ts
@@ -0,0 +1,16 @@
+import { getOriginalClaimValue, ORIGINAL, WEBID } from '../../../src/credentials/Claims';
+
+describe('Claims', (): void => {
+  describe('#getOriginalClaimValue', (): void => {
+    it('prefers original claim values when present.', async(): Promise<void> => {
+      expect(getOriginalClaimValue({
+        [WEBID]: 'http://example.com/id/user',
+        [ORIGINAL]: { [WEBID]: 'user' },
+      }, WEBID)).toBe('user');
+    });
+
+    it('falls back to top-level claim values.', async(): Promise<void> => {
+      expect(getOriginalClaimValue({ [WEBID]: 'http://example.com/id/user' }, WEBID)).toBe('http://example.com/id/user');
+    });
+  });
+});
diff --git a/packages/uma/test/unit/credentials/verify/IriVerifier.test.ts b/packages/uma/test/unit/credentials/verify/IriVerifier.test.ts
@@ -1,5 +1,5 @@
 import { Mocked } from 'vitest';
-import { CLIENTID, WEBID } from '../../../../src/credentials/Claims';
+import { CLIENTID, ORIGINAL, WEBID } from '../../../../src/credentials/Claims';
 import { Credential } from '../../../../src/credentials/Credential';
 import { IriVerifier } from '../../../../src/credentials/verify/IriVerifier';
 import { Verifier } from '../../../../src/credentials/verify/Verifier';
@@ -42,6 +42,10 @@ describe('IriVerifier', (): void => {
     await expect(verifier.verify(credential)).resolves.toEqual({
       [WEBID]: 'http://example.com/id/webId',
       [CLIENTID]: 'http://example.com/id/clientId',
+      [ORIGINAL]: {
+        [WEBID]: 'webId',
+        [CLIENTID]: 'clientId',
+      },
       fruit: 'http://example.org/apple',
     });
     expect(source.verify).toHaveBeenCalledTimes(1);
diff --git a/packages/uma/test/unit/dialog/BaseNegotiator.test.ts b/packages/uma/test/unit/dialog/BaseNegotiator.test.ts
@@ -1,6 +1,6 @@
 import { ForbiddenHttpError, KeyValueStorage } from '@solid/community-server';
 import { Mocked } from 'vitest';
-import { WEBID } from '../../../src/credentials/Claims';
+import { ORIGINAL, WEBID } from '../../../src/credentials/Claims';
 import { ClaimSet } from '../../../src/credentials/ClaimSet';
 import { Verifier } from '../../../src/credentials/verify/Verifier';
 import { BaseNegotiator } from '../../../src/dialog/BaseNegotiator';
@@ -189,6 +189,26 @@ describe('BaseNegotiator', (): void => {
     });
   });
 
+  it('prefers the original WEBID claim over the normalized value for token sub.', async(): Promise<void> => {
+    ticketingStrategy.validateClaims.mockResolvedValueOnce({
+      ...ticket,
+      provided: {
+        [WEBID]: 'http://example.com/id/user',
+        [ORIGINAL]: {
+          [WEBID]: 'user',
+        },
+      },
+    });
+
+    await expect(negotiator.negotiate({ ...input, claim_token: 'token', claim_token_format: 'format' })).resolves
+      .toEqual({ access_token: 'token', token_type: 'type' });
+
+    expect(tokenFactory.serialize).toHaveBeenLastCalledWith({
+      permissions: [ { resource_id: 'id1', resource_scopes: [ 'scope1' ] } ],
+      sub: 'user',
+    });
+  });
+
   it('includes partial=true when resolved permissions do not cover all requested scopes.', async(): Promise<void> => {
     ticketingStrategy.initializeTicket.mockResolvedValueOnce({
       permissions: [ { resource_id: 'id1', resource_scopes: [ 'scope1', 'scope2' ] } ],
diff --git a/packages/uma/test/unit/dialog/ContractNegotiator.test.ts b/packages/uma/test/unit/dialog/ContractNegotiator.test.ts
@@ -1,6 +1,6 @@
 import { ForbiddenHttpError, KeyValueStorage } from '@solid/community-server';
 import { Mocked, MockInstance } from 'vitest';
-import { WEBID } from '../../../src/credentials/Claims';
+import { ORIGINAL, WEBID } from '../../../src/credentials/Claims';
 import { ClaimSet } from '../../../src/credentials/ClaimSet';
 import { Verifier } from '../../../src/credentials/verify/Verifier';
 import { ContractNegotiator } from '../../../src/dialog/ContractNegotiator';
@@ -152,4 +152,25 @@ describe('ContractNegotiator', (): void => {
       sub: webId,
     });
   });
+
+  it('prefers the original WEBID claim over the normalized value for token sub.', async(): Promise<void> => {
+    ticketingStrategy.validateClaims.mockResolvedValueOnce({
+      ...ticket,
+      provided: {
+        [WEBID]: 'http://example.com/id/user',
+        [ORIGINAL]: {
+          [WEBID]: 'user',
+        },
+      },
+    });
+
+    await expect(negotiator.negotiate({ ...input, claim_token: 'token', claim_token_format: 'format' })).resolves
+      .toEqual({ access_token: 'token', token_type: 'type' });
+
+    expect(tokenFactory.serialize).toHaveBeenLastCalledWith({
+      contract,
+      permissions: [{ resource_id: 'target', resource_scopes: [ 'https://w3id.org/oac#action' ] }],
+      sub: 'user',
+    });
+  });
 });
diff --git a/test/integration/Oidc.test.ts b/test/integration/Oidc.test.ts
@@ -1,6 +1,6 @@
 import { AlgJwk, App, CachedJwkGenerator, MemoryMapStorage } from '@solid/community-server';
 import { setGlobalLoggerFactory, WinstonLoggerFactory } from 'global-logger-factory';
-import { importJWK, SignJWT } from 'jose';
+import { decodeJwt, importJWK, SignJWT } from 'jose';
 import { randomUUID } from 'node:crypto';
 import { createServer, Server } from 'node:http';
 import path from 'node:path';
@@ -156,6 +156,11 @@ describe('A server supporting OIDC tokens', (): void => {
         body: JSON.stringify(content),
       });
       expect(response.status).toBe(200);
+
+      const { access_token } = await response.json() as { access_token: string };
+      const payload = decodeJwt(access_token);
+      expect(payload.sub).toBe(sub);
+      expect(payload.sub).not.toBe(`http://example.com/id/${sub}`);
     });
   });
 
