jjbohn · harmjanblok · Jun 21, 2016
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
@@ -60,7 +60,10 @@ class OpenIDConnect
       end
 
       extra do
-        {raw_info: user_info.raw_attributes}
+        {
+          raw_info: user_info.raw_attributes,
+          id_token: id_token.raw_attributes
+        }
       end
 
       credentials do
@@ -174,6 +177,9 @@ def decode_id_token(id_token)
         ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
       end
 
+      def id_token
+        decode_id_token(access_token.id_token)
+      end
 
       def client_options
         options.client_options

diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -59,6 +59,7 @@ def test_callback_phase(session = {}, params = {})
 
     id_token = stub('OpenIDConnect::ResponseObject::IdToken')
     id_token.stubs(:verify!).with({:issuer => strategy.options.issuer, :client_id => @identifier, :nonce => nonce}).returns(true)
+    id_token.stubs(:raw_attributes)
     ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
     strategy.unstub(:user_info)
@@ -102,6 +103,7 @@ def test_callback_phase_with_discovery
 
     id_token = stub('OpenIDConnect::ResponseObject::IdToken')
     id_token.stubs(:verify!).with({:issuer => 'https://example.com/', :client_id => @identifier, :nonce => nonce}).returns(true)
+    id_token.stubs(:raw_attributes)
     ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
     strategy.unstub(:user_info)
@@ -202,7 +204,23 @@ def test_info
   end
 
   def test_extra
-    assert_equal({ raw_info: user_info.as_json }, strategy.extra)
+    id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+    id_token.stubs(:verify!).returns(true)
+    id_token.stubs(:raw_attributes).returns(iss: 'https://example.com', sub: 'sub123')
+    ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+
+    access_token = stub('OpenIDConnect::AccessToken')
+    access_token.stubs(:id_token)
+    client.expects(:access_token!).returns(access_token)
+
+    extra = {
+      raw_info: user_info.as_json,
+      id_token: {
+        iss: 'https://example.com',
+        sub: 'sub123'
+      }
+    }
+    assert_equal(extra, strategy.extra)
   end
 
   def test_credentials
@@ -212,6 +230,7 @@ def test_credentials
 
     id_token = stub('OpenIDConnect::ResponseObject::IdToken')
     id_token.stubs(:verify!).returns(true)
+    id_token.stubs(:raw_attributes)
     ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
     access_token = stub('OpenIDConnect::AccessToken')
@@ -302,6 +321,7 @@ def test_option_client_auth_method
 
     id_token = stub('OpenIDConnect::ResponseObject::IdToken')
     id_token.stubs(:verify!).with({:issuer => strategy.options.issuer, :client_id => @identifier, :nonce => nonce}).returns(true)
+    id_token.stubs(:raw_attributes)
     ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
     HTTPClient.any_instance.stubs(:post).with(