feat(core): add subject token context to jwt customizer

packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.tsx

@@ -5,6 +5,7 @@ import { useState } from 'react';
 import { useFormContext } from 'react-hook-form';
 import { useTranslation } from 'react-i18next';
 
+import { isDevFeaturesEnabled } from '@/consts/env';
 import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
 import {
  environmentVariablesCodeExample,
@@ -78,7 +79,7 @@ function InstructionTab({ isActive }: Props) {
  />
  </GuideCard>
  )}
- {tokenType === LogtoJwtTokenKeyType.AccessToken && (
+ {isDevFeaturesEnabled && tokenType === LogtoJwtTokenKeyType.AccessToken && (
  <GuideCard
  name={CardType.GrantData}
  isExpanded={expendCard === CardType.GrantData}

packages/console/src/pages/CustomizeJwtDetails/utils/config.tsx

@@ -10,6 +10,7 @@ import { type EditorProps } from '@monaco-editor/react';
 import TokenFileIcon from '@/assets/icons/token-file-icon.svg';
 import UserFileIcon from '@/assets/icons/user-file-icon.svg';
 
+import { isDevFeaturesEnabled } from '../../../consts/env.js';
 import type { ModelSettings } from '../MainContent/MonacoCodeEditor/type.js';
 
 import {
@@ -209,10 +210,14 @@ const defaultGrantContext: Partial<JwtCustomizerGrantContext> = {
  },
 };
 
-export const defaultUserTokenContextData = {
- user: defaultUserContext,
- grant: defaultGrantContext,
-};
+export const defaultUserTokenContextData = isDevFeaturesEnabled
+ ? {
+ user: defaultUserContext,
+ grant: defaultGrantContext,
+ }
+ : {
+ user: defaultUserContext,
+ };
 
 export const accessTokenPayloadTestModel: ModelSettings = {
  language: 'json',

packages/core/src/oidc/extra-token-claims.ts

@@ -142,6 +142,11 @@
  (await libraries.jwtCustomizers.getUserContext(token.accountId))
  );
 
+ const subjectToken =
+ isTokenClientCredentials || token.gty !== GrantType.TokenExchange
+ ? undefined
+ : await trySafe(async () => queries.subjectTokens.findSubjectToken(token.grantId));
+
  const payload: CustomJwtFetcher = {
  script,
  environmentVariables,
@@ -150,10 +155,20 @@
  ? { tokenType: LogtoJwtTokenKeyType.ClientCredentials }
  : {
  tokenType: LogtoJwtTokenKeyType.AccessToken,
  // TODO (LOG-8555): the newly added `UserProfile` type includes undefined fields and can not be directly assigned to `Json` type. And the `undefined` fields should be removed by zod guard.
  // `context` parameter is only eligible for user's access token for now.
- // eslint-disable-next-line no-restricted-syntax
- context: { user: logtoUserInfo as Record<string, Json> },
+ context: {
+ // eslint-disable-next-line no-restricted-syntax
+ user: logtoUserInfo as Record<string, Json>,
+ ...conditional(
+ subjectToken && {
+ grant: {
+ type: GrantType.TokenExchange,
+ subjectTokenContext: subjectToken.context,
+ },
+ }
+ ),
+ },
  }),
  };
 

packages/integration-tests/src/__mocks__/jwt-customizer.ts

@@ -1,4 +1,4 @@
-import type { AccessTokenPayload, ClientCredentialsPayload } from '@logto/schemas';
+import { type AccessTokenPayload, type ClientCredentialsPayload } from '@logto/schemas';
 
 const standardTokenPayloadData = {
  jti: 'f1d3d2d1-1f2d-3d4e-5d6f-7d8a9d0e1d2',