Skip to content

Include any claims specified via request.claims in the JWT access token. #927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rorymurphy wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Include any claims specified via request.claims in the JWT access token. #927

rorymurphy wants to merge 1 commit into from
+27 −2

Conversation

@rorymurphy
Copy link

@rorymurphy rorymurphy commented Nov 11, 2025

Per the docs, it appears any claims added to the request in the request validator should appear in the JWT access token. Presently, these claims appear to be ignored.

Fixes #926

@auvipy auvipy requested review from auvipy and Copilot December 8, 2025 03:12
Copilot AI reviewed Dec 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes issue #926 by ensuring that claims specified via request.claims in the request validator are included in the JWT access token, rather than being ignored as they were previously.

Key Changes:

  • Modified signed_token_generator() to merge existing request claims with kwargs-provided claims instead of overwriting them
  • Added test coverage to verify that both request claims and generator kwargs are included in the final token

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
oauthlib/oauth2/rfc6749/tokens.py Updated signed_token_generator() to preserve and merge existing request.claims with new claims from kwargs, properly handling cases where the attribute doesn't exist or is None
tests/oauth2/rfc6749/test_tokens.py Added test case to verify that both request-level claims and generator-level claims are correctly merged and passed to the JWT generation function

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tests/oauth2/rfc6749/test_tokens.py
self.assertEqual(result, 0)

@mock.patch("oauthlib.common.generate_signed_token")
def test_signed_token_generator_repsects_request_claims(self, common_generate):
Copy link

Copilot AI Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spelling error in test method name: "repsects" should be "respects".

Suggested change
def test_signed_token_generator_repsects_request_claims(self, common_generate):
def test_signed_token_generator_respects_request_claims(self, common_generate):

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@auvipy auvipy Awaiting requested review from auvipy

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

signed_token_generator does not include claims from request.claims.

1 participant

@rorymurphy