@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
OAuth2AccessTokenEntity token = (OAuth2AccessTokenEntity) accessToken;
OAuth2Request originalAuthRequest = authentication.getOAuth2Request();
String clientId = originalAuthRequest.getClientId();
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
JWTClaimsSet claims = new JWTClaimsSet();
claims.setAudience(Lists.newArrayList(clientId));
claims.setIssuer(configBean.getIssuer());
claims.setIssueTime(new Date());
claims.setExpirationTime(token.getExpiration());
claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
jwtService.signJwt(signed);
token.setJwt(signed);
/**
* Authorization request scope MUST include "openid" in OIDC, but access token request
* may or may not include the scope parameter. As long as the AuthorizationRequest
* has the proper scope, we can consider this a valid OpenID Connect request. Otherwise,
* we consider it to be a vanilla OAuth2 request.
*
* Also, there must be a user authentication involved in the request for it to be considered
* OIDC and not OAuth, so we check for that as well.
*/
if (originalAuthRequest.getScope().contains("openid")
&& !authentication.isClientOnly()) {
String username = authentication.getName();
UserInfo userInfo = userInfoService.getByUsernameAndClientId(username, clientId);